Ola nihil:

You're right on the "three goes and account is locked" theory I believe. Many of us arguing in the thread are stating that. We have been told however, at least for AD, that the 15 is their threshold. I am currently looking to confirm or disconfirm that.

Also - yes many of our users would need to login to other machines/shares and as my fellow auditor stated, one bad login in that case would case an account lockout - however that too needs to be confirmed or disconfirmed.

I will also bring up your point to the e-mail thread of:

It sounds to me as if your active directory is not set up properly? Like you should be forced to establish your credentials and bonafides BEFORE you are allowed anywhere near production systems.
As a counter to my second paragraph point.

I will post more once I learn more. Thanks.

Bueno.