Maybe this would work:

sp_grantlogin [@loginame =] 'login'

sp_grantlogin

sp_revokelogin

Note that the SQL security account procedures and the NT security account procedures differ.

If you got a snapshot of all of the logins/role membership/permissions for the NT accounts, and their NT account name has not changed, then you could scan through them and use the system procedures to re-create it all.

You are right; there may be a tool out there.