Account lockouts in Microsoft windows environmnent

what is the recommended number of password attempts to be allowed before an account is locked out ? Is that 3 / 5 / 7 /10 ? What is a good number considering the tradeoff between too many support calls versus ensuring security ? What are the other valid reasons for Account lockouts apart from user forgetfulness ? Does that include any inherent flaws in the Windows architecture that caches passwords in mapped drives, applications storing password, active sync issues and any such matters. Is there a comprehensive study on what are the root causes and recommendations to eliminate them.