Group Compare provides the ability to compare the group membership of two objects, which can be users or groups.  The list memberships that are returned can be derived from either, the memberof attribute of the object or the object’s TokenGroups attribute.  Both options will return the SIDs of all the groups, including nested groups that the object is a member of.  With the TokenGroups option it will also include any domain security principals that are granted to the object.

Once the membership SIDs haves been retrieved for each object, they resolved and compared based on the selected options.

For the SID Resolution there are three options available:

None – the SID is displayed.
Relative – the name associated to the SID based on the SID assigned to the ObjectSID or SIDHistory attributes in the domain.
Absolute – the SID lookup will be completed against the source domain of the SID based on the domain portion of the SID, and the source name is displayed.  This option allow SIDHistory SIDs to resolved correctly.   Note: Network latency or old SID History entries to a non-existent domain can impact the performance of this resolution type

The membership can be compared based on two compare options:

Name - the membership SIDs are resolved based on the SID Resolution option and then the results are compared and matched
Object SID - the membership SIDs are compare before the SID Resolution is completed, then the SID resolution is completed.  This option is best if SID History is being used.

If the SID History Check option is selected the the SIDHistory column will report if the entry is from a SID History entry.

In these example screenshots it shows the difference between MemberOf and TokenGroup and the groups that are returned