The simple truth of the matter is that if the users are members of SYSADMIN role, then they own your database. Your organzation doesn't have one or two DBA's, it now has 100 DBAs. They can delete tables, drop tables, add more users, take down the server, or anything else they choose, and there is not a damn thing you can do about it, unless you remove them from the sysadmin role. You should be thakful that they havn't decided to drop all the databases or remove you from the sysadmin role, in which case you'd be out of a job!

First, remove these users from sysadmin server role and all other server and database roles so that they are reduced down to 'public'. Public is the default role when a user is first added to a database in SQL Server 2005, and at this point they have access to basically nothing.

Next, create a new 'application role' that will define permission for the user group. Add that role as a member of the builtin database roles 'db_datareader' and 'db_datawriter', which will allow them to read / write any table. Ideally you would only grant the role select, insert, update, etc. permission as needed on specific tables.

Next, under the 'Securables' tab of the Applicaion Role dialog, DENY all permissions on the audit tables.

Next, add each user to the application role and you're done. If you need to adjust permissions, then do that within the application role, not at the user level. If different groups of users need different levels of permissions, then add another application role and re-assign users.