In light of macOS Server removing the Account Lockout Policy Enforcement feature from the GUI, one can still apply this enforcement by way of terminal command on the Open Directory Server itself. For Example:
Set LDAP Account Policy Enforcement:
pwpolicy -a <<diradmin>> -p <<password>> -u <<username to unlock> -setpolicy "maxFailedLoginAttempts=1"
** This sets 5 password failed attempts along with 60days password reset
sudo pwpolicy -a diradmin -u edtester -setpolicy "maxMinutesUntilChangePassword=86400 maxFailedLoginAttempts=5"
Unlock account:
pwpolicy -a <<diradmin>> -p <<password>> -u <<username to unlock> -setpolicy "isDisabled=0"
Link to technical article: https://superuser.com/questions/577273/osx-server-ldap-pwpolicy-how-to-disable-a-account
Helpful links:
https://www.jamf.com/jamf-nation/discussions/14460/pwpolicy-at-single-user-mode
https://krypted.com/mac-security/programatically-setting-password-policies/
