pam syntax help for password-auth

I have an /etc/pam.d/dcv file (goes with nice-dcv) and it has just these two lines: auth include password-auth account include password-auth my problem is a security request to include a faillock item in password-auth prevents my nice-dcv connections from working for users. As a fix I would like to have the faillock syntax in /etc/pam.d/password-auth to meet requirements and then just tweak my /etc/pam.d/dcv file to use the redhat default password-auth but **without** my faillock modification. But the pam syntax has me confused when it has an auth include and an account include of the same [password-auth] file... what do I do? How does it work for an auth include **and** then an account include of this one file having these contents which then has all it has? # # default redhat-8 /etc/pam.d/password-auth # auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_usertype.so issystem account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so local_users_only password sufficient pam_unix.so sha512 shadow nullok use_authtok password [success=1 default=ignore] pam_localuser.so password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so