The following table contains an alphabetical list of all indicators that originate from Security Guardian Assessments,

Indicator	Indicator Type	Severity
Abnormally large number of privileged user accounts in the domain	Exposure	High
Accounts that allow Kerberos protocol transition delegation	Exposure	High
Active Directory Operator groups that are not protected by AdminSDHolder	Exposure	Critical
Administrator account can be delegated	Exposure	High
Anonymous access to Active Directory is enabled	Exposure	High
Anonymous Logon and Everyone groups are members of the Pre-Windows 2000 Compatible Access group	Exposure	Critical
Built-in Administrator account that has been used	Compromise	Critical
Built-in Guest account is enabled	Exposure	Critical
Computer accounts with non-default Primary Group IDs	Compromise	Critical
Computer accounts with reversible password	Exposure	High
Computer accounts with unconstrained delegation	Exposure	High
Computer accounts without readable Primary Group ID	Compromise	Critical
DNS zone configuration allows anonymous record updates	Exposure	High
Domain Admins can log into computers with non-privileged Group Policy	Exposure	Critical
Domain Controller is running SMBv1 protocol	Exposure	High
Domain trust configured insecurely	Exposure	High
Domain with obsolete domain functional level	Exposure	Medium
Enabled privileged user accounts that are inactive	Exposure	High
Foreign Security Principals are members of a privileged group	Exposure	High
Group Policy allows reversible passwords	Exposure	High
Groups with SID from local domain in their SID History	Compromise	Critical
Groups with well-known SIDs in their SID History	Compromise	Critical
Inheritance is enabled on the AdminSDHolder container	Compromise	Critical
KRBTGT accounts with Resource-Based Constrained Delegation	Exposure	Critical
Managed and Group Managed Service accounts that have not cycled their password recently	Compromise	Critical
Non-privileged accounts are able to log onto privileged computers	Exposure	Critical
Non-privileged accounts are members of DnsAdmins group	Exposure	Critical
Non-privileged accounts can access the gMSA root key	Exposure	Critical
Non-privileged accounts can link GPOs to the domain	Exposure	Critical
Non-privileged accounts can link Group Policy Objects to an Active Directory site	Exposure	Critical
Non-privileged accounts can link Group Policy Objects to Domain Controller OU	Exposure	Critical
Non-privileged accounts can perform a DCSync attack *Name to change	Exposure	Critical
Non-privileged accounts have access to write properties on certificate templates	Exposure	Critical
Non-privileged accounts that can promote a computer to a domain controller	Exposure	Critical
Non-privileged accounts with Microsoft Local Administrator Password (LAPS) access	Exposure	High
Non-privileged accounts with Migrate SID history permission delegation	Exposure	Critical
Non-privileged accounts with Reanimate tombstones permission delegation	Exposure	Critical
Non-privileged accounts with Unexpire password permission delegation	Exposure	Critical
Non-privileged computer can be compromised through Resource-Based Constrained Delegation	Exposure	High
Non-privileged user accounts configured for Password Never Expires	Exposure	High
Non-privileged user accounts with Service Principal Names	Exposure	Critical
Non-privileged user accounts with write permissions over Resource-Based Constrained Delegation on the KRBTGT account	Exposure	Critical
Non-privileged users can create computer accounts	Exposure	High
Non-privileged users with access to gMSA password	Exposure	Critical
Ordinary user accounts with hidden privileges (SDProp)	Compromise	Critical
Printer Spooler service is enabled on a domain controller	Exposure	Medium
Privileged account token can be stolen from a read-only domain controller	Exposure	High
Privileged computer accounts that have not cycled their password recently	Exposure	High
Privileged computer can be compromised through Resource-Based Constrained Delegation	Exposure	High
Privileged computer is owned by a non-privileged account	Compromise	Critical
Privileged computer that has write permissions on Resource-Based Constrained Delegation granted to a non-privileged account	Exposure	High
Privileged computers that have not recently authenticated to the domain	Exposure	High
Privileged Group Policy allows Recovery Mode to be not password-protected	Exposure	Critical
Privileged groups that have computer accounts as members	Exposure	High
Privileged groups which should not be in use contain members	Exposure	Critical
Privileged groups with SID History populated	Compromise	Critical
Privileged user account is disabled	Exposure	Medium
Privileged user accounts configured for Password Never Expires	Exposure	High
Privileged user accounts whose passwords have not changed recently	Exposure	High
Privileged user accounts with Service Principal Names	Exposure	Critical
Privileged user accounts with SID History populated	Compromise	Critical
Privileged users owned by non-privileged accounts	Compromise	Critical
Protected group credentials exposed on read-only domain controllers	Exposure	High
Protected Users group is not being used	Exposure	High
Schema Admins group contains members	Exposure	Critical
User accounts do not require a password	Exposure	High
User accounts have a reversible password	Exposure	High
User accounts in protected groups that are not protected by AdminSDHolder (SDProp)	Compromise	Critical
User accounts using DES encryption to log in	Exposure	High
User accounts with Kerberos pre-authentication disabled	Exposure	High
User accounts with non-default Primary Group IDs	Compromise	Critical
User accounts with SID from local domain in their SID History	Compromise	Critical
User accounts with unconstrained delegation	Exposure	High
User accounts with well-known SIDs in their SID History	Compromise	Critical
User accounts without readable Primary Group ID	Compromise	Critical