- Start | Run | SECPOL.MSC
- Select Local Policies | User Rights Assignment | Change System Time
- Remove respective users/groups from the list who should not have access.
- If you remove all users, you have two choices for changing the time -- do it in the BIOS, or add a user back in at this location, reboot, change the time, and remove the user again.
One other thought - you could create an additional Administrator user, and designate only that user (rather than a group) to have access to change the time.
Even better, why not make the default 'clerk' login restricted to ward clerks, and create an additional logon for all other ward users (and update the ability to change time as noted above)? Is there something special about user 'clerk' as it relates to MLS?