I'll throw one other technique out there that I use quite a bit. It may not handle things like verifying someone can see something in Object Explorer that they think they should, but it could help with specific database or server-level permissions. Your comment at the very least I would like to be able to be more confident when I add someone to a group in Windows that they'll be able to access the databases properly is aligned with my thought process as well and is exactly why I take the extra step myself before responding to users that they have been granted a specific permission. After setting up the Login I'll run something along these lines:

EXECUTE AS LOGIN = 'domain\winodows.user';

GO

SELECT SUSER_SNAME() AS impersonated_security_context

GO

BEGIN TRAN

-- try the operation the login is supposed to be able to perform

ROLLBACK

GO

REVERT

GO

SELECT SUSER_SNAME() AS original_security_context

GO