You don't give much information on how your network is set up, what your password policies are or how secure your network needs to be so this may or may not be helpful.
I work in a secure environment and my location uses a combination of things. We have our workstations set to lock users out after 3 failed logons. They reset after a 15 minute wait.

Having said this, we also enforce a strict password policy that forces a person to have a password of 8 characters (that has to have at least one number, one capital letter, one lower case letter and one special character). Users have to change their passwords every 90 days and we enforce a password history of the last 24 passwords so you cannot use them again. Also, if you change your password, you have to wait 1 day before changing it again (unless you have a systems admin force the change).

We also enforce a policy that audits failures of account logon events so we can see which accounts are getting hit. We've removed unnecessary groups and accounts from even being able to have access to the machines and no one other than admins have local access to the machines. If a user wants to use the machine, they have to log onto the domain (they cannot log on locally) with a valid domain account.

This information may be more than what you were looking for but at least it might give you some ideas. I hope it helps.