Active Directory tracks membership in security groups and uses this membership to connect users to file-system and other resource access control lists (ACLs). In short, placing a user into a security group is the main mechanism for granting security rights to users in Windows.
Windows does not, however, track the history of security groups. There is no way to know when a user was attached to a security group, who authorized the change and why. This means that Windows group membership - by itself - is inadequate for forensic analysis.
Using Group Manager, organizations establish an accountable log of security changes and are able to carry out forensic analysis, if required.