As of 4.6B SP?? (not sure which support pack release) there's a new functionalily for finding and determining access problems for users. Get your user to run the authorization check or su53, then you, the authorizating administrator, type in su53 as well. Now you'll see an icon (two little boxes). Select this and type in that user's logon ID. You now have their SU53 on your screen. This simple method saves the issues of printing to spooler or e-mailing over WAN for such a simple task.