I think there is another important point here, however. You mentioned that you want to lock out the accounts so you can be alerted in case of account hacks. This is great in principle, but if you don't have staffing within your security group to track down every phone call to the help desk, are you really accomplishing the goal of having knowledge of potential attackers?