If the password policy has been configured to either maintain a record of recent successful authentication attempts or to maintain a last login time, then the following configuration property is used to enable idle account lockout:

Specifies the length of time that must pass after the most recent successful authentication for a user’s account to be locked. A value of zero seconds (which is the default) indicates that idle account lockout should be disabled.

If an account has been locked because it has been too long since the user last authenticated, then it can be unlocked with an administrative password reset.

The config/sample-dsconfig-batch-files/enable-last-login-tracking-and-idle-lockout.dsconfig batch file provides more information about idle account lockout.