There are two bugs with kadmin's account lockout policy feature that we should fix:

1. the lockoutduration and failurecountinterval arguments silently coerce their value to seconds.  For example, if you specify "5 minutes", it will assign the value as five seconds.

solution: use getdate for input.

2. the policy output does not format the values in a time format.  For example, "5" is displayed, instead of "0 days 00:00:05" for five seconds.

solution: use strdur on output.