One of the groups will have a DENY permission on ALTER or similar.
DENY takes precedence over any GRANTed permissions
hmm..Might be.. any script to find that..also this what i did
Added I.t group as a login on sql server
added i.t group as a user with the database.. made i.t group member of db_reader,db_writed. created a role db_executer, granted execute permission to db_executer and made i.t group member of db_executer role.
added S\Al as a login on sql sevrer
added S\Al as a db user with default schema set to DBO
added S\Al to db_ddladmin
granted alter permission on dbo to s\al
by doing this wouldn't individual get the extra permission he is been granted.. ???
to make this worse..i did exactly something on other database and same person can drop/alter objects..