How Group Changes Works

This post provides a bit more detail on how the Group Changes option work and how it uses the lower level AD replication details to determine the group changes, which includes what and when changes were made.  The Group Changes page has the basic information on how it works, here Group Changes 

There are a number of steps to get this information and then display the corresponding details of the group changes for the user.  The Group Changes option uses the Meta Data of groups to determine what changes have been made for a specific users, the Meta Data dialog allow you to displays the AD replication details for an object see Meta Data Dialog

Here is the the meta data dialog for a group called group3

The lower section of the dialog shows the changes to the member attribute, in this example it shows an entry for group1 and group2, the org time and delete time are used to determine if the last action was an addition or deletion from the member attribute.  When an object is added, only the org and create time have values set, and when the object is deleted from the member attribute the delete time value is also set.  In this case both the group1 and group2 have been deleted from group3 member attribute. 
The raw format of the msDS-ReplValueMetaData attribute is XML, this is a screenshot of the LDAP Search function displaying the attribute in it XML format. 

So while the data is available in the AD in XML format, this is not the easiest data format to use, luckily an number of AD Attributes support the binary option, see RFC4522 section 3.  By specifying the attribute as msDS-ReplValueMetaData;binary the DCs will return the data in a DS_REPL_VALUE_META_DATA_BLOB data structure which is much easier to handle from the programmatic point of view. See ds_repl_value_meta_data_blob

So now we are able are able to determine the membership changes that have been made to the group object, we just need to enumerate the replication data of all the groups under the specified BaseDN and display the changes associated to the specified user.