GPOs are collections of Windows configuration settings applied to users and computers in AD — enforcing password policies, disabling USB drives, configuring screen lock, deploying software.
GPOs are a primary enterprise hardening tool. Processed in order: Local → Site → Domain → OU (LSDOU). Later GPOs override earlier. Loopback processing applies computer policies to logged-in users.