First off, there is no such thing as "prohibited" in CRM security roles. All roles are additive, and the most permissive role for any entity wins. (i.e. there is nothing analogous to the "deny" permission in Windows)
So you're going to have to check the roles they're in, and the CRM User report is a good start. It will report all roles a user is a part of, and then you can start testing which roles are too broad.
As for resetting and re-configuring roles in CRM, just remove all roles from everyone and start fresh with new roles.
The postings on this site are solely my own and do not represent or constitute Hitachi Solutions' positions, views, strategies or opinions.