A colleague who runs a modest but growing financial business called me in a panic the other day. It seems that he replaced his IT support person with a new contractor. New guy comes in, begins working on the system, then midway through discovers he's been locked out. The owner, not having any other administrative account, even though he has physical access to the server, is shut out. I suggested there were one of two possibilities: incompetence on the part of the new guy, or something sinister on the part of the old.
Turns out it was the latter: old guy, disgruntled over having been replaced, logs in to the system remotely while new guy is working, changes all the passwords, then essentially blackmails the owner, offering to release the system for a certain sum of money.
A number of lessons here. Putting all your trust in one person who can bring down your system yet is not an vested member of your team is dangerous. Not having alternative means of getting control of your system is a Bad Thing. Managing the transition among IT staff is critical. Having mechanisms in place to ensure an orderly change of command, immediately shutting out people who are no longer authorized to access your system, is important.