We are currently in the process of migrating our users from one Active Directory domain to another.
The users already exist in the target domain so we were looking to mass change our NTFS permissions to include the user from the new domain whilst also retaining the permissions from the old domain.
A tool that Microsoft supplies looked ideal for the task – subinacl – apart from in one respect – the tool was deigned to replace permissions instead of adding to them. The way we got round this problem was to edit the export from subinacl and add in the new permissions that we wanted and then to run the export file against the NTFS volume.
So this was a 4 step process.