I own a networking business in Colorado, and this comes up every so often.
We had one instance where a company was going to fire their network admin (for pirating software and downloading gigs of porn on company time, plus telling the owner that he couldn't be fired because he was not replacable). We were called in to prep for the firing, and we needed to get the password sets for the company.
If you can still find it online, I like using a free floppy disk tool called LinNT, which basically does the above steps using a quick automated process. This does not always work, however. We went to the workstation where the employee did his thing, and used a nifty tool from http://www.loginrecovery.com/. There is a free method, but we opted for the paid version, which gave us all the passwords to each of the accounts he used on his computer in less than three minutes.
We installed Spectre Pro, a program that logs and records everything, including screenshots, emails and chats.
I asked the owner to give the employee a series of tasks, which required logging in to different devices, such as the Cisco routers and switches. We ended up capturing his pirating and porn activities, and found out he was cheating on his wife with two women, but that was beyond our professional scope.
Well, he was fired, and he stormed out saying the owner "would be sorry". He did attempt to sabotage the network, but we had already changed the passwords. He tried to get in from his home DSL connection, but he was blocked. They now have a professional administrator, and we helped screen the applicants.
To prevent people from breaking in to machines using these methods, move the hard drive to the first boot device, and if your BIOS supports it, remove the floppy and CD from the bootable devices. Put a BIOS password on the machines. If needed, you can chage them back when you have to boot using removable media.