A user right is authorization to perform an operation that affects an entire computer. (A permission, by contrast, is authorization to perform an operation on a specific object—such as a file or a printer—on a computer.)For each user right, you can specify which user accounts and groups have the user right. To review or set user rights, in Group Policy (Gpedit.msc) navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. Then double-click a user right to view or change the list of users and groups.
To review or change the local setting for a user right, double-click the user right in User Rights Assignment.
tip - Use the Local Security Settings console
--------------------------------------------------------------------------------
The Local Security Settings console provides a shorter path to User Rights Assignment, so it’s useful when you’re not setting other policies, such as the ones in the Administrative Templates folders. To open Local Security Settings, double-click Local Security Policy in the Administrative Tools folder or type secpol.msc at a command prompt.
Ten of the user rights—Access This Computer From The Network, Allow Logon Through Terminal Services, Log On As A Batch Job, Log On As A Service, Log On Locally, and their corresponding "Deny" user rights—are known more precisely as logon rights. They control how users are allowed to access the computer—whether from the keyboard ("locally") or through a network connection, or whether as a service or as a batch facility (such as Task Scheduler). You can use these logon rights (in particular, Log On Locally and Deny Logon Locally) to control who can log on to your computer. By default, Log On Locally is granted to the local Guest account and members of the Administrators, Backup Operators, Power Users, and Users groups. If you want to prevent certain users from logging on at the keyboard (but still allow them to connect via the network, for example), create a group, add those user accounts to it, and then assign the Deny Logon Locally user right to the new group. Like deny permissions, deny logon rights take precedence over allow logon rights, so if a user is a member of a group that is allowed to log on (such as Power Users) and a group that is not (such as the one described in the previous sentence), the user will not be allowed to log on. (Such users are rebuffed with an error message after they type their user name and password in the Log On To Windows dialog box.)
hope this will shed a little light on it all