• For the database, create a user-defined database role. Assign it the permissions currently granted to AcmeCorp\SalesUsers. Then make the AcmeCorp\SalesUsers user a member of that role. You can use sp_helprotect to list out all the permissions AcmeCorp\SalesUsers currently has and with some text manipulation you should be able to create the GRANT EXECUTE statements needed for your database role. Repeat for the different permissions levels, etc. You get the idea. If you've already got database roles, sp_helprotect can be used to detail what permissions a particular role has and you could easily generate the proper permissions scripts from its output.

    As far as the users within the database, you can use sp_helpuser to list all the users. You can use sp_helprolemember to list who are members of a given database role. You can build the scripts appropriately that recreate the membership of each database role. This may be affected by the logins if they don't match up. So there may have to be some manual work on your part.

    Logins are a little more diffcult given your example. Your going to have to figure out how the logins are going to map from one domain to another. If the group names remain the same then you could use sp_helplogins to create your sp_grantlogin scripts.

    K. Brian Kelley
    @kbriankelley