Batch file automating Windows HKCU registry permissions using (SetACL)

I am working with our end user team to automate domain migration. We are using a method that involves changing the permissions (including "Replace permission entries on all child objects with readings given here applicable to child objects") in the local user folder and HKCU in regedit.

I was able to automate most of the steps with a simple batch script. For local folder permissions, I used icacls:

icacls C:\Users\%localprofile% /grant %domainuser%@contoso.com:(OI)(CI)F /T

      

        
        
        
      

    

And for the registry, I used SetACL:

"C:\Win7ProfileTool\SetACL\64 bit\SetACL.exe" -on "hkcu" -ot reg -actn ace -ace "n:%domainuser%@contoso.com;p:full"
"C:\Win7ProfileTool\SetACL\64 bit\SetACL.exe" -on "hkcu" -ot reg -actn setprot -op dacl:np;sacl:np

      

        
        
        
      

    

If I follow the method manually, it works without issue. When I run my script, I get an error not loading profile (and temp generated / loaded).

I believe I have narrowed it down to two SetACL lines, but I am not sure exactly what options are needed to emulate "Replace permission entries on all child objects with readings shown here that refer to child objects."

My googlefu led me to an icacls solution that cannot be used in RegEdit and I scrolled through the SetACL help page (specifically the install-protect flags, but I'm not sure about the "protect" )

Today I'm planning to take a look at the Reset Children flag, but I'm not sure if I'm even on the right track.

tl; dr . How to emulate the Advanced Security tab checkbox "Replace permission entries with ..." via CMD using SetACL.