How to time-bomb a GPO?

This can be done by the means of WMI filtering. The group policy client would execute the WQL query from an attached WMI filter and only apply the GPO if the query would return a non-zero number of rows. So by creating a WMI filter checking if the current system time is within a given time interval and linking this WMI filter to the GPO you want to timebomb you get exactly what you wanted.

The win32_operatingsystem WMI class has a localdatetime attribute which can be compared to a given string date in the format 'yyyymmdd hh:nn:ss' so using the WQL string like

select * from win32_operatingsystem where localdatetime >= '20150220 00:00:00' and localdatetime <= '20150223 15:00:00'

in the root\CIMv2 namespace would make sure that the GPO only would be applied to systems where the local time is between Feb, 20 2015 00:00:00 and Feb, 23 2015 15:00:00:

Make sure you have linked the WMI filter to the desired GPO:

Things to keep in mind:

• the WQL is evaluating the local date and time on the client, which might or might not be synchronized with the time source you mean to use. The client's time will not run too far ahead or behind of the domain controller's time, otherwise Kerberos authentication will break, but there might be minor deviations, do account for them

• the group policy client will check for GPO changes and re-apply them rather infrequently by default:

  By default, computer Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes.

  So the default settings will only allow for a precision of +2 hours. The update interval can be changed by (another) group policy setting, if needed.

• your policy needs to be able to revert all changes when no longer applied. This is the case by default for all managed Administrative Templates. Group Policy Preferences settings might need to be explicitly set up to "remove this item when no longer applied":