DS 8.1 question -- password unlock attribute

I'm trying to set up a password policy such that if a user attempts to bind with the incorrect password x times they will need to have it unlocked by an administrator.

I have it mostly set up but have a question on the passwordUnlock attribute. From the 8.1 admin guide,

passwordLockoutDuration This attribute indicates the time, in seconds,
that users will be locked out of the directory. The
passwordUnlock attribute specifies that a user
is locked out until the password is reset by an
administrator. By default, the user is locked out
for 3600 seconds.

Do I need to set the passwordUnlock attribute to "off" to make it so an admin has to reset a users password? Or does it need to set to "on" to turn on the feature that I want?

Thanks
Sean