I would try to avoid local machine groups when dealing with NFTS permissions. You might be confused with Domain local groups which are sometimes also called local groups. If you really need to use a local machine group you can make the global group a member of the local machine group.
A common principle to remember is ADGLP. User and computer accounts are members account group which are a member of global groups that represent business roles, the global groups are members of ad domain local groups that describe resource permissions or user rights assignments
Here is an general PowerShell script example of creating an ADGLP group using PowerShell.
# Define business roles
$accountingRole = "Accounting"
$readersRole = "Readers"
$folderAccessRole = "FolderAccess"
# Define group names based on business roles
$accountGroupName = "AG_$accountingRole"
$globalGroupName = "GG_$readersRole"
$domainLocalGroupName = "DL_$folderAccessRole"
# Create Active Directory groups
New-ADGroup -Name $accountGroupName -GroupScope Global -GroupCategory Security
New-ADGroup -Name $globalGroupName -GroupScope Global -GroupCategory Security
New-ADGroup -Name $domainLocalGroupName -GroupScope DomainLocal -GroupCategory Security
# Add the global group to the accounts group
Add-ADGroupMember -Identity $accountGroupName -Members $globalGroupName
# Add user accounts to the global group
Add-ADGroupMember -Identity $globalGroupName -Members "User1", "User2"
# Get the folder path
$folderPath = "C:\Path\To\Your\Folder"
# Get the folder's ACL (Access Control List)
$acl = Get-Acl -Path $folderPath
# Create a read permission for the domain local group
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Domain\$domainLocalGroupName", "Read", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
# Apply the modified ACL to the folder
Set-Acl -Path $folderPath -AclObject $acl
Please remember to test this script first and change the values to your environment.
whoami /groups
when logged on with the domain account on the server with the folder. If you are not logging on locally but accessing it using a share, you should specify that and the details.