The following table contains an alphabetical list of all indicators that originate from Security Guardian Assessments,

Indicator	Indicator Type	Severity
Abnormally large number of Tier Zero user accounts in the domain	Hygiene	High
Accounts that allow Kerberos protocol transition delegation	Hygiene	High
Active Directory Operator groups that are not protected by AdminSDHolder	Hygiene	Critical
Tier Zero account can be delegated	Hygiene	High
Anonymous access to Active Directory is enabled	Hygiene	High
Anonymous Logon and Everyone groups are members of the Pre-Windows 2000 Compatible Access group	Hygiene	Critical
Built-in Administrator account that has been used	Hygiene	Critical
Built-in Guest account is enabled	Hygiene	Critical
Computer accounts with non-default Primary Group IDs	Hygiene	Critical
Computer accounts with reversible password	Hygiene	High
Computer accounts with unconstrained delegation	Hygiene	High
Computer accounts without readable Primary Group ID	Hygiene	Critical
DNS zone configuration allows anonymous record updates	Hygiene	High
Domain Admins can log into computers with non-Tier Zero Group Policy	Hygiene	Critical
Domain Controller is running SMBv1 protocol	Hygiene	High
Domain trust configured insecurely	Hygiene	High
Domain with obsolete domain functional level	Hygiene	Medium
Enabled Tier Zero user accounts that are inactive	Hygiene	High
Foreign Security Principals are members of a Tier Zero group	Hygiene	High
Group Policy allows reversible passwords	Hygiene	High
Groups with SID from local domain in their SID History	Hygiene	Critical
Groups with well-known SIDs in their SID History	Hygiene	Critical
Inheritance is enabled on the AdminSDHolder container	Hygiene	Critical
KRBTGT accounts with Resource-Based Constrained Delegation	Hygiene	Critical
Managed and Group Managed Service accounts that have not cycled their password recently	Hygiene	Critical
Non-Tier Zero accounts are able to log onto Tier Zero computers	Hygiene	Critical
Non-Tier Zero accounts are members of DnsAdmins group	Hygiene	Critical
Non-Tier Zero accounts can access the gMSA root key	Hygiene	Critical
Non-Tier Zero accounts can link GPOs to the domain	Hygiene	Critical
Non-Tier Zero accounts can link Group Policy Objects to an Active Directory site	Hygiene	Critical
Non-Tier Zero accounts can link Group Policy Objects to Domain Controller OU	Hygiene	Critical
Non-Tier Zero accounts can perform a DCSync attack *Name to change	Hygiene	Critical
Non-Tier Zero accounts have access to write properties on certificate templates	Hygiene	Critical
Non-Tier Zero accounts that can promote a computer to a domain controller	Hygiene	Critical
Non-Tier Zero accounts with Microsoft Local Administrator Password (LAPS) access	Hygiene	High
Non-Tier Zero accounts with Migrate SID history permission delegation	Hygiene	Critical
Non-Tier Zero accounts with Reanimate tombstones permission delegation	Hygiene	Critical
Non-Tier Zero computer can be compromised through Resource-Based Constrained Delegation	Hygiene	High
Non-Tier Zero user accounts configured for Password Never Expires	Hygiene	High
Non-Tier Zero user accounts with Service Principal Names	Hygiene	Critical
Non-Tier Zero user accounts with write permissions over Resource-Based Constrained Delegation on the KRBTGT account	Hygiene	Critical
Non-Tier Zero users can create computer accounts	Hygiene	High
Non-Tier Zero users with access to gMSA password	Hygiene	Critical
Ordinary user accounts with hidden privileges (SDProp)	Hygiene	Critical
Printer Spooler service is enabled on a domain controller	Hygiene	Medium
Tier Zero account token can be stolen from a read-only domain controller	Hygiene	High
Tier Zero computer accounts that have not cycled their password recently	Hygiene	High
Tier Zero computer can be compromised through Resource-Based Constrained Delegation	Hygiene	High
Tier Zero computer is owned by a non-Tier Zero account	Hygiene	Critical
Tier Zero computer that has write permissions on Resource-Based Constrained Delegation granted to a non-Tier Zero account	Hygiene	High
Tier Zero computers that have not recently authenticated to the domain	Hygiene	High
Tier Zero Group Policy allows Recovery Mode to be not password-protected	Hygiene	Critical
Tier Zero groups that have computer accounts as members	Hygiene	High
Default Active Directory groups which should not be in use contain members	Hygiene	Critical
Tier Zero groups with SID History populated	Hygiene	Critical
Tier Zero user account is disabled	Hygiene	Medium
Tier Zero user accounts configured for Password Never Expires	Hygiene	High
Tier Zero user accounts whose passwords have not changed recently	Hygiene	High
Tier Zero user accounts with Service Principal Names	Hygiene	Critical
Tier Zero user accounts with SID History populated	Hygiene	Critical
Tier Zero users owned by non-Tier Zero accounts	Hygiene	Critical
Protected group credentials exposed on read-only domain controllers	Hygiene	High
Protected Users group is not being used	Hygiene	High
Schema Admins group contains members	Hygiene	Critical
User accounts do not require a password	Hygiene	High
User accounts have a reversible password	Hygiene	High
User accounts in protected groups that are not protected by AdminSDHolder (SDProp)	Hygiene	Critical
User accounts using DES encryption to log in	Hygiene	High
User accounts with Kerberos pre-authentication disabled	Hygiene	High
User accounts with non-default Primary Group IDs	Hygiene	Critical
User accounts with SID from local domain in their SID History	Hygiene	Critical
User accounts with unconstrained delegation	Hygiene	High
User accounts with well-known SIDs in their SID History	Hygiene	Critical
User accounts without readable Primary Group ID	Hygiene	Critical