Mac OS X lacks a good command line tool for following a Services Access Control List (SACL) tree of users and groups. If you don't want to, or just can't, use the GUI to list users in service ACLs of your Mac OS X server (or managed client), you need to parse the groups/nested groups/users tree one group at a time, using dscl. It's really painful. As an alternative, I've created a script to handle this for sys admins.
I won't promise you a killer command line tool with foolproof error and recursion handling, but I still believe I've designed a usable piece of shell script -- even if it looks like it's the worst code I've ever written (which is not true; I've made things way uglier). The source code is too long and messy to be just copy-pasted here; just download the getsacls.sh script (4KB) directly from my machine.
How to install getsacls.sh:
Simply copy it to your Mac OS X 10.5 server (or managed client); anywhere in your $PATH should be fine. Then chmod +x the script, so that it can be executed.
How to configure getsacls.sh:
Defaults values should be OK, but if you really want to change something, open the script in your favorite editor, and find the FEW USER TUNABLE MISCS section. Edit at your own risks.
How to use getsacls.sh:
It's simple, you just have to launch it. It will then proceed with the parsing of every SACL on your local system. You don't need to be root, or even admin. I've tested the script successfully on a client with the guest account. Do not use the sh command to launch this script; getsacls.sh uses special escape sequences and command options that sh will not recognize. Just type getsacls.sh to run it.
If you want to parse only some SACLs, you can provide each SACL name at the command line:
$ getsacls.sh com.apple.access_ssh com.apple.access_loginwindow
Still, you should only use SACL names that exist on your local system. The default output is "fancy" -- it uses bold, indentation, and a beach-ball cursor. If you want the "no fancy" mode, you can either edit the corresponding "tunable misc variable," or define FANCY=NO at launch time:
$ FANCY=NO getsacls.sh com.apple.access_ssh
This "no fancy" mode allows for later parsing.
Mac OS X Hints
http://hints.macworld.com/article.php?story=20090710025100899