Make a gpo that has no lockout and put your service accounts in there.
Or use rdpguard and just block any IP that tries more than a few times to guess passwords. http://rdpguard.com/
Personally, rdp without rdp gateway or without VPN is more than a little scary. I'd use this as an excuse to put in a mandatory VPN policy here.
We just had a major rdp vulnerability with passwordless accounts. rdp has a major security event every few years, but to be fair the conditions to make the exploit work are often unrealistic. Mitigation via layers is the only thing that makes sense here.