jiffy_79 (8/21/2014)
2. Only users configured by the DBA can decrypt the data automatically. There are also a number of accounts that are sysadmins on the instance that I would need to block.
Not possible without taking the "SA" priv away from them. In the same vein, you need to fix that problem even if you don't do the migration. No one outside of the DBA group should have any higher than "DBO" and you should be ultra stingy even with that priv. NO public facing application should have any higher than Read/Write/Execute privs.
Unrealistic in most shops but certainly attainable, my personal Nirvana would be that no application would ever have more than PUBLIC privs with exec privs on the stored procedures that the app needs to execute. Of course, that also means no ORMs or embedded SQL.
--Jeff Moden
Change is inevitable... Change for the better is not.