The Account Lockout policy has 3 variables:
|Account lockout threshold||The number of log on attempts a user can make before the account is locked.|
|Reset account lockout counter after||The time that must elapse before the counter is reset to zero.|
|Account lockout duration||The time that must elapse before an account is unlocked and the user can attempt to log on.|
If you set the value of Reset account lockout counter after to be greater than the value of Account lockout duration, Windows automatically adjusts this value to be equal to the value of Account lockout duration because if it didn't, Account lockout duration would count down first and make it possible for the user to attempt logon, while the Reset account lockout counter after counter was still decrementing, not having reset the bad attempts counter. This would guarantee that the user could never log on again.