I had to obscure a lot, but the bottom query results correlate to the top results. The first line of the bottom query results show the grantor of the permissions, and the bottom line is the grantee. In this case, a login was explicitly denied impersonation on a server role. I’m using this example because it is really quirky to fix. Most often, you’ll just reverse the permissions, using pretty standard syntax. Even easier, right click on the login, go to the “Securables” tab, and remove the permissions. However, if you are a fan of the TSQL approach, this one is not so straightforward, so it’s a good one to show.
Click through for a demonstration.