1.Use root account to run this shell cript to create a user named infra that can reset failed login counts only.
#!/usr/bin/ksh
#create a user named infra
lsuser infra > /dev/null
if [ $? = 0 ]
then
    rmuser infra
    rm -fr /home/infra
fi
mkuser -a pgrp='nobody' infra
if [ -d /var/hist/vasen ]
then
    chown infra /var/hist/vasen
fi

#change the shell of this user.
#create a backup file /etc/passwd????????????
#command "ed" is safer than "sed".
cp /etc/passwd /etc/passwd`date +"%y%m%d%H%M%S"`
ed /etc/passwd</^infra:/s/$/ \/usr\/bin\/infralogon.sh/
w
.
!
#cp /etc/passwd /etc/passwd.tmp1
#sed -e '/^infra:/s/$/ \/usr\/bin\/infralogon.sh/' /etc/passwd.tmp1 >/etc/passwd.tmp2
#cat /etc/passwd.tmp2 >/etc/passwd
#rm /etc/passwd.tmp[12]

#change the acl of the three files
aclget /etc/security >/tmp/acl1
sed -n '/^attributes:/,/^extended permissions/{p;}' /tmp/acl1 >/tmp/acl2
echo "    enabled" >>/tmp/acl2
echo "    permit r-x u:infra" >>/tmp/acl2
aclput -i /tmp/acl2 /etc/security

aclget /etc/security/lastlog >/tmp/acl1
sed -n '/^attributes:/,/^extended permissions/{p;}' /tmp/acl1 >/tmp/acl2
echo "    enabled" >>/tmp/acl2
echo "    permit r-- u:infra" >>/tmp/acl2
aclput -i /tmp/acl2 /etc/security/lastlog

aclget `which chsec` >/tmp/acl1
sed -n '/^attributes:/,/^extended permissions/{p;}' /tmp/acl1 >/tmp/acl2
echo "    enabled" >>/tmp/acl2
echo "    permit r-x u:infra" >>/tmp/acl2
aclput -i /tmp/acl2 `which chsec`
rm /tmp/acl[12]

#create the file /usr/bin/infralogon.sh
cat <<'!!!' >/usr/bin/infralogon.sh
cat /etc/security/lastlog |grep -vp "unsuccessful_login_count = [0-4] *$"|grep -v ^* |grep -v ^$
while [ $? = 0 ];do
  echo Press ctrl+c to logout, or input the account\'s name to reactive it:
  read username
  chsec -f /etc/security/lastlog -a "unsuccessful_login_count=0" -s "$username"
done
echo No account need to be reactived. bye!
!!!
chmod a+rx /usr/bin/infralogon.sh

#create scrīpt /bin/reset-infra
cat <<'!' >/bin/reset-infra
#!/usr/bin/ksh
# Date: 2006-04-29
# reset the passwd and lastupdate of user infra.
time=`awk '/lastupdate/ {print $NF}' /etc/security/passwd |sort -nr |head -1`
ed /etc/security/passwd</infra:
/password/s/=.*/= hjOZjaz1Wd4Ig
/lastupdate/s/=.*/= $time
.
w
q
.
!!

#change the acl of the file /usr/bin/chsec
aclget `which chsec` >/tmp/acl1
sed -n '/^attributes:/,/^extended permissions/{p;}' /tmp/acl1 >/tmp/acl2
echo "    enabled" >>/tmp/acl2
echo "    permit r-x u:infra" >>/tmp/acl2
aclput -i /tmp/acl2 `which chsec`
rm -f /tmp/acl[12]

#unlock user infra
chsec -f /etc/security/lastlog -a "unsuccessful_login_count=0" -s infra
!

chmod a+x /bin/reset-infra

#change crontab
grep reset-infra /var/spool/cron/crontabs/root
  if [ $? != 0 ]
  then
     echo "0 17 * * * /usr/bin/reset-infra" >>/var/spool/cron/crontabs/root
#    kill -HUP `ps -e |grep -w cron |awk '{print $1}'`
     crontab /var/spool/cron/crontabs/root
  fi

2.Set the password of this account.
For example:
# passwd infra
Changing password for "infra"
infra's New password: (The fastest way is setting the password is NULL. Press "enter" key directly.)
Enter the new password again:
# tn 127.0.0.1
Trying...
Connected to 127.0.0.1.
Escape character is '^T'.

telnet (idish1b)

AIX Version 5
(C) Copyrights by IBM and by others 1982, 2000.
login: infra
3004-610 You are required to change your password.
        Please choose a new one.

infra's New password: (Set the password that you want really.)
Enter the new password again:

3.How to reset the locked account?
For eaxmple:

renton:
        time_last_login = 1097702111
        tty_last_login = /dev/pts/0     
        host_last_login = 9.181.182.157                                  
        unsuccessful_login_count = 6        
        time_last_unsuccessful_login = 1098972888
        tty_last_unsuccessful_login = /dev/pts/0     
        host_last_unsuccessful_login = 9.181.182.155                                  
tony:
        time_last_unsuccessful_login = 1111441748
        tty_last_unsuccessful_login = /dev/pts/0     
        host_last_unsuccessful_login = 9.181.186.23                                   
        unsuccessful_login_count = 6        
        time_last_login = 1105545339
        tty_last_login = /dev/pts/2     
        host_last_login = 9.184.83.88            (When you login using infra, you can see all the locked accounts and other information.)                        
Press ctrl+c to logout, or input the account's name to reactive it:
tony
Press ctrl+c to logout, or input the account's name to reactive it:
renton
Press ctrl+c to logout, or input the account's name to reactive it:
^C
Connection closed.
#

4. All the files impacted by the shell scrīpt in step 1.
You can use the following commands to see these files:
cat /etc/passwd |grep ^infra
aclget /etc/security
aclget /etc/security/lastlog
aclget `which chsec`
cat /usr/bin/infralogon.sh
ls -l /usr/bin/infralogon.sh

5. Please refer to Houtao and Leo's solution.

6. About "how to prevent infra's password from being expired",please refer

Documentation:how to prevent infra's password from being expired