hmm..Might be.. any script to find that..also this what i did

Added I.t group as a login on sql server

added i.t group as a user with the database.. made i.t group member of db_reader,db_writed. created a role db_executer, granted execute permission to db_executer and made i.t group member of db_executer role.

added S\Al as a login on sql sevrer

added S\Al as a db user with default schema set to DBO

added S\Al to db_ddladmin

granted alter permission on dbo to s\al

by doing this wouldn't individual get the extra permission he is been granted.. ???

to make this worse..i did exactly something on other database and same person can drop/alter objects..