Prevent administrator password 2008 R2 reset

As you know, windows server 2008 password can be reset easily.

(http://blogs.technet.com/b/meacoex/archive/2011/08/15/reset-your-windows-sever-2008-r2-domain-controller-administrator-password.aspx)
 

If you want to prevent someone who have physical access to your server from reset admin password, you can encrypt your Windows drive using Bitlocker.

Unfortunately if your server restarts, it will need the USB key for boot.

You can safely do this if you are familiar with the Bitlocker.

1. Enable Bitlocker feature on the Server .

2. Restart the Server.

3. On your windows drive turn on your bitlocker .

• Start a  CMD window as admin & change directory focus to C:\windows\system32\
• Run the command  manage-bde.exe –on C: -rp –sk A:
• Restart the machine. 

C: refers to your windows drive and A: refers to USB key.

4. Make sure you store the recovery key in a safe place.

• Open Bitlocker Drive Encryption by clicking the Start button , clicking Control Panel, clicking Security, and then clicking Bitlocker Drive Encryption.‌
• Click Manage BitLocker, and then follow the instructions.

5. After your server boots, unplug the key.