You could modify the script that I posted to this question.
Microsoft used to have a tool named subinacl that you could use to replace one account with another. They decommissioned that tool. I wrote that script to help a user perform similar functionality.
This is code that I hacked together and didn't parametrize and clean up. All you would have to do is to remove the statements that add the $NewGroup to the new ACL.
Use WhatIf on the Set-Acl to test it and verify that it updates the folders that you expect.