Here's a possible trick. IIRC, The Offline NT Password Recovery disc only resets the Administrator password (afaik). First create an account and give it the rights to edit ACLs. Deny this account access to the group policies folder (C:\Windows\System32\GroupPolicy) but allow it to take access whenever it wants/needs. Now create a very strict group policy using the Admin account and allow everyone (including Administrator) access to the group policy. That way, the only account not locked down completely is the new account that you created. If the admin needs access temporarily, you can always use the other account to deny access to the admin so that he can do his stuff.

Another thing you can do (not recommended) is to just assign the admin account to another group, thereby not giving anyone cracking the password any access at all .

Cheers,
cgkanchi