I spent part of the morning gaining access to a Windows 2008 server where the system owner did not have the passwords for the local administrator or a domain admin account. It is a little more complicated than before, but is still not difficult to change first the local administrator password, then the password of any other account.
Even a modern OS falls easily to local attacks. Note that these sorts of attacks are defeated by encryption — but we typically do not want the encryption overhead on servers . This is why servers need to be in locked rooms.