Log on as a batch job
This policy setting determines which accounts can log on by using a batch-queue tool such as the Task Scheduler service. When you use the Add Scheduled Task Wizard to schedule a task to run under a particular user name and password, that user is automatically assigned the Log on as a batch job user right. When the scheduled time arrives, the Task Scheduler service logs on the user as a batch job instead of as an interactive user, and the task runs in the user’s security context.
Log on as a service
This policy setting determines which service accounts can register a process as a service. Running a process under a service account circumvents the need for human intervention.
Allow log on locally
This policy setting determines which users can start an interactive session on the device. Users must have this user right to log on over a Remote Desktop Services session that is running on a Windows-based member device or domain controller.
Note: Users who do not have this right are still able to start a remote interactive session on the device if they have the Allow logon through Remote Desktop Services right.
Allow log on through Remote Desktop Services
This policy setting determines which users or groups can access the logon screen of a remote device through a Remote Desktop Services connection. It is possible for a user to establish a Remote Desktop Services connection to a particular server but not be able to log on to the console of that same server.
To control who can open a Remote Desktop Services connection and log on to the device, add users to or remove users from the Remote Desktop Users group.