There are two bugs with kadmin's account
lockout policy feature that we should fix:
1. the lockoutduration and
failurecountinterval arguments silently coerce their value to
seconds. For example, if you specify "5 minutes", it will
assign the value as five seconds.
solution: use getdate for input.
2. the policy output does not format the
values in a time format. For example, "5" is displayed,
instead of "0 days 00:00:05" for five seconds.
solution: use strdur on output.