So why not just use a WMI Filter on the GPO or modify the security on it so that the exempted users can't read or apply that GPO? That's still WAY easier than trying to write some custom script and try to apply it properly.
Plus, the GPO's automatically re-apply every ~90 minutes, so they'll have to keep running the script anyway.
