I think I figured this out. The "Permission Denied" message actually seems to be a false message returned by UNIX servers when trying to passwd -l on a user that does not exist on the server. I worked around this by grep -i $user /etc/passwd first and exiting here if the user does not exist instead of proceeding with the passwd -l to get the false error.
Make sure the grep looks for the entire user-name entry in the passwd file, as user-names show up in other users' comments or as a part of another username:
grep -i ^$: /etc/passwd
snagging the return code of:
blquery -e 'user_exists("'"$"'")' > /dev/null 2>&1
would also do the trick in most cases.