What does 'Log on as a Service' actually mean?

The article you linked provides an explanation of what rights Log on as a Service provides:

The Log on as a service user right allows accounts to start network services or services that run continuously on a computer, even when no one is logged on to the console.

In short, you only want to provide this right to the accounts that need it - by default, that's the Local System, Local Service and Network Service accounts, because those are what services run under by default.

If you wish to run a service under a different security context (like a service account you create), you would want to grant that service account Log on as a Service rights so that it could run your service without the need for a user to be logged in. The article you link provides IIS and ASP.NET as examples where additional accounts are granted this right; it applies to third-party programs that run as services as well.

If you don't want to you run every service as SYSTEM or NetworkService, you would setup service accounts for individual services and assign them this Log on as a Service right. The main advantage of using service accounts in this way is that if your service is compromised, it's running under the security context of the account running it, rather than the SYSTEM-level security context that SYSTEM and NetworkService have.

So, the best practice is to assign this right only to accounts that services run under, and to run individual services under service accounts that are configured according to principle of least privilege (only give them permissions they need to run; don't give them admin or SYSTEM privileges). I would add that controlling this by GPO is the more secure approach. If it's controlled locally on each server, then anyone who gets Administrative rights on a server can control what accounts can run services on that server, whereas enforcing it via GPO requires getting the appropriate domain rights at a domain level.