Analyzing permissions in Active Directory is a quite difficult task for Active Directory administrators.

First, because the Active Directory delegation capabilities are extremely powerful and could lead to highly complex hierarchy which is then hard to check.

Second, because the built-in tools are limited: The permissions are displayed in the properties of each object, the effective permissions for a user on an object can be calculated but the usage is limited in large environment and provide approximated and sometimes inaccurate results (See Microsoft KB 933071). Other alternatives will also be describe in this post.

Third, because the company may not have a defined delegation model, or may have an old one defined at the forest or domain creation. In a perfect world, every Active Directory "should" have a defined (and documented) delegation model which "should" evolve as the Enterprise evolves (Teams reorganizations, Companies acquisitions, Partnerships...). In the same perfect world, Active Directory administrators should be able to check if the current delegations in Active Directory are in accordance with the defined delegation model, and modify either part accordingly to the desired state.

Last, because this task is a shared responsibility of both the Active Directory service administrators (for the top-level delegations) and Active Directory data administrators (See Microsoft Best Practices for Active Directory Delegation)