Good article, but I disagree on one point.

The automatic account lockout can do more harm than good. It sets the conditions for an easy DOS attack.

An attacker, inside or outside of the network, can use any of a dozen freeware programs to usea guessing scheme against your domain. If you have account lockout set on your domain, the attacker can easily lock out EVERY account in your domain (except for your renamed Administrator account).

I speak from experience on this.

Good fortune,
Don