Rights are special properties that administrators assign to accounts. Your accountís Rights propagate to all the programs you run in your local or remote logon sessions. These let your programs make special requests to the system that would not be fulfilled unless they had one of these Rights. Most are administrative in nature, and many used only by the operating system itself. Each Windows NT computer (be it a Workstation, Domain Controller, or Server) has its own Rights database that associates Rights with some or all of the accounts usable on that computer. Hence, Rights are not stored in the account. Your domain account may have some Rights on some computers and other Rights on others. To minimize confusion, seldom change Windows NTís default Rights policy, and when you must, build your custom Rights policies around domain-wide groups. The two rights that govern local and remote logon are quite important. An account needs the former on a given computer to sit down and logon at its keyboard, and the second to establish a secondary, remote logon session on that computer. Their often unappreciated importance is that they can be effectively coupled with your domain structure and local matching account strategy to determine which accounts can be used where network-wide. These Rights can be just as instrumental in keeping your domain structure simple as local, matching accounts. Consider them carefully and use them creatively.