i think you must combine useful, fast and security

so making people wait for 30 minutes before they can log in again is a bad idea

i don't advise doing the 5 tries per minute for example , because a real patient cracker would do prog with that interval and make that program sit in the background of a remote computer he uses :P or of his comuter

so i like to be strict in terms of passwords... 5 tries and you have a problem is a good policy

i suggest u divide ur users into groups, i think a person working in IT should not forget his password like miss shopping, and according to usergroup u define a policy

you can make the "help desk" not made of human, that will increase its capability by lot more
like send reset key to specific mail address....(the traditional procedure )

ask him to log on from his usual computer ( u log in the network card or the IP :P ) and to submit the key from that computer [ i can immagine some ways for you if u want :P ]

i agree with you about Educating users to remember and have secure passwords