This script will find users in a database that don't have an exact match for login based on SID, but I think it overstates the number of orphans because if a windows authenticated user has access to a database through an active directory group, then that group will have a different SID than the user. If you drop that user then they loose any permissions that were applied to them directly instead of to the group. It may be an edge case, but I know it exists where I work.