For servers that are publicly facing, it's possible that hackers will attempt to hack you. Recently, I had a hacker try to guess logins and passwords over and over and over again (thousands of times) over port 25. I was able to thwart that by disabling port 25 for a bit (15 minutes) and the hacker lost interest. But theoretically, had I not seen the hacker attempting, he could have tried hacking forever, just guessing and guessing.
There's no lockout policy for invalid usernames. If the hacker is guessing on jsmith and you don't have a jsmith user, he can keep guessing forever. The lockout policy will not apply. But if the hacker is trying legitimate user names, the hacker should be locked out after a limited number of attempts. I have seen the default as no limit and as 50 attempts on SBS machines.
The number of attempts should be 6 or fewer and the lockout times should be 15 minutes or longer.
You can get to the appropriate place via:
Group Policy Management -> expand to default domain policy, right click on default domain policy and click edit. Then edit these fields: