NTFS Security - separating ADUsers from ADGroups

I’m working on a script that audits the NTFS security of a file server share, looks only at Explicit security, and returns a list using a reader-friendly name and permissions. Unfortunately, AD Users and AD Groups can both be assigned to NTFS security (preferably AD Groups). So when I pull the results and convert the account names (\SOMEDOMAIN\ADUSER) to a Friendly Name (ADUSER.FirstName ADUSER.LastName) Groups are ignored. Is there some Powershell code I could incorporate to retrieve the group memberships and list the users along with their permissions?

For this script I’m using the NTFSSecurity Module:

#This script creates a custom object from the NTFS Security on a File Share
#Only individual AD Users will be listed in the resulting csv file
$path=Read-Host “Enter UNC or local folder path”
$perms=Get-Item “$path” | Get-NTFSAccess -ExcludeInherited | ForEach{
New-Object PSObject -Property @{
FriendlyName=$(Get-ADUser -Identity $(($
.Account -split “SOMEDOMAIN\”)[1])).Name;
$perms | Where-Object FriendlyName -ne $null | Select-Object FriendlyName,Access | Export-Csv “C:\temp\NTFSPerms.csv”

First of all, could you please format your code as code? One of the first 3 posts in this forum tell you how.

Did you try Get-ACL? Did you search for? Probably there already have been someone with a similar task: Microsoft Technet Script Gallery or Microsoft Powershell Forum

Get-NTFSAccess resulting object have AccountType property. just use it

for retrieving group info you could use Get-ADGroup

Thanks for the feedback. I am still getting used to using this forum and programming in PowerShell. Below is the solution I worked out.

#Sets the default error action state to supress console error messages
#input the path to be audited
$script:path=Read-Host "Enter UNC or local folder path"
#Confirms the path is valid to continue
IF (!$(Test-Path -LiteralPath $script:path)){Write-Output "Invalid path.";break}
#Return NTFS access results into a new object
$perms=Get-Item "$script:path" | Get-NTFSAccess -ExcludeInherited | ForEach{
    New-Object PSObject -Property @{
        FriendlyName=$(($_.Account -split "SOMEDOMAIN\\")[1]);
#Translates the results into Reader-friendly format
$results= $perms | Where-Object FriendlyName -ne $null | ForEach {
    New-Object PSObject -Property @{
           If(!$(Get-ADUser "$($_.FriendlyName)")) {$(Get-ADGroupMember "$($_.FriendlyName)" -Recursive).Name
           Else {$(Get-ADUser "$($_.FriendlyName)").Name
#Exports the results as a csv file
$results | Select-Object @{n="Name";e={($_.Name | Out-String).Trim()}},Access | Export-CSV C:\Temp\NTFSPerms.csv