the users.local file overrides the users file. you can look in the rscd.log on the target and see why you are getting the permisson denied.
there are a couple possibilities:
1 - the exports file is denying the connection from the client, but usually you get a different error
2 - you are connecting from a client that does not have bladelogic credentials. (eg you run the 'nsh' programs file entry directly and there is no nsh proxy configured)
I think we had the proxy setup to work w/ the AD auth in your environment so running nsh from the programs menu should pickup the bladelogic auth, otherwise try the 'nsh here' from the CM gui.
then do an 'agentinfo ' and see who you are getting mapped to.