What on earth is the head of the Tech Dept. doing allowing others to know his password???????????? It's morons like him who give the rest of us a bad name. On the, I believe, only two occasions I have had need to give a user an admin password they have been on the phone, trusted staff, (Yes, I trust my COO not to do anything silly), and the password has been changed at the very first opportunity.

If you are an all AD shop you can mitigate some of that risk by restricting users so that they can only log in from certain locations. Set the Tech head to only be able to log in from his own workstation. Then anyone else has to at least be in his office to mess around....