Previously, a windows group was added to a 'full access users' role. It was removed and the cube was processed and deployed, replacing rights, but people in that group still have rights to see the data. They are not listed in any roles.
I've looked through all local windows groups on the supporting server and the group in question is not in any groups (ie, if they were in administrators, then they'd have full access through that). The people in the group are not administrators or domain administrators either.
Is there somewhere else I could check on the machine to better find the source of the problem and get the group removed