Maybe this would work:
sp_grantlogin [@loginame =] 'login'
sp_grantlogin
sp_revokelogin
Note that the SQL security account procedures and the NT security account procedures differ.
If you got a snapshot of all of the logins/role membership/permissions for the NT accounts, and their NT account name has not changed, then you could scan through them and use the system procedures to re-create it all.
You are right; there may be a tool out there.