It'll just happen if you configure a regular GPO to lock users out after 5 failed logon attempts. the standard message is "Your account has been locked. Please contact your system administrator."
As far as locking the workstation, that's more complicated, as the TS will need to first check if a user exists, etc.
I can tell you that we're 100% compliant with all requirements and we only use the lockout policy (well, we have it set to three attempts)