Quick query to list inherited right (undue) after SP2 upgrades

I attended an upgrade for a customer installing MP1.1 on 4 servers in hierarchy (1 parent, 3 children). We had some minor problems when we got started but nothing major:

• 2 servers (including the parent) did not have the MP1.1 upgrade option because SMP 7.1 SP2 was not appearing as installed in SIM. We just ran the upgrade as a new installation.
• The parent configuration went much to fast to be healthy. In effect it did not install ost of the products, so we ran the "aexconfig /configureall" manually and this fixed the environment
• One role had been granted undesired rights (inherited from the hidden parent folder)  on main console locations: "Reports", "Console menu", "Settings" and "Resource".

To solve the latest issue we crafted a report based on the following diagram to list the items that roles had access to when they should not:

Fron this we crafted the following query:

/* Top folders guid list
     Resource     = 'fec994ae-1787-44c2-b5ec-e94d210838c9'
     Reports      = '4d4d03c6-cb51-4502-886f-13f756198b1b'
     Settings     = '5d9e00c1-146f-478b-a94d-ccbbe89e0347'
     Tasks        = '297171fd-395f-41d8-a482-ea4271bc9572'
     Console menu = 'a2145b77-3df4-4b99-b36d-817d82b920a2' */


select i.name as 'Security Role', i2.name as 'Object', stp.permissionguid
  from SecurityACEData ace
  join SecurityTrusteePermission stp
    on ace.TrusteePermissionId = stp.id
  join SecurityTrustee t
    on stp.trusteeguid = t.guid
  join Item i
    on t.Guid = i.Guid
  join Item i2
    on ace.entityguid = i2.guid
 where Inherited = 1
   and EntityGuid in (
		'fec994ae-1787-44c2-b5ec-e94d210838c9',
		'4d4d03c6-cb51-4502-886f-13f756198b1b',
		'5d9e00c1-146f-478b-a94d-ccbbe89e0347',
		'297171fd-395f-41d8-a482-ea4271bc9572',
		'a2145b77-3df4-4b99-b36d-817d82b920a2'
		)
/* -- OPTIONAL FILTER
   and i.name not in (
		'Symantec Level 1 Workers',
		'Symantec Level 2 Workers',
		'Symantec Administrators',
		'Symantec Supervisors',
		'Symantec Guests',
		'Patch Management Administrators',
		'Patch Management Rollout'
		)*/
 order by i.name

Interestingly enough beware of the result as the effective permissions for specific group can be inherited from other groups as we have role hierarchy that can be implemented (inheriting from the other roles a role is in).