AD
Isn't that powerful. In fact, if you can get physical access to a PC, AD and GP permissions are among the easiest "security" features to breach.
Worst case scenario, unless the drive is encrypted, you can reinstall Windows over the top of a Windows instance you don't have permissions to and you'll either have access or be able to take ownership after the rebuild.
Not sure if there is anything like Winternals for Windows 8... but basically, if you've got physical access to a machine, AD and GP security and policies don't mean anything, if you *really* want in.
Lenovo BIOS passwords and hard drive passwords are one example of enterprise class hardware designed to compensate for this shortcoming.
