I am in the process of clearing out old computer accounts from an Active Directory domain that I inherited responsibility for.
In this environment stale records are not removed from DNS so there are a lot of cases where a machine or device has ended up with a DNS record of something that left the network ages ago.
What this means is that a device that shows up as 'computer442' when I run nslookup is not necesarily computer442. And I need to know what the device actually is before I know it's safe to delete the computer account 'computer442' from AD.
For any that respond to a ping with 'reply from [my ip] destination host unreachable' I assume there is nothing there so I delete them. But some of them do respond to a ping so I know there's something there.
So far I've been trying these…
- Try to browse to it –
\\computer442\c$ - Try to connect to it –
mstsc /v:computer442 - See if it is a web server =
http://computer442 - Use portqry.exe to query common ports.
In some cases none of these things help, but there is definitely something responding to the ping. So is there a way to identify it?
Best Answer
Im not here to spark a Windows Vs Linux Debate, but there is a utility called nmap which I find invaluable for such occasions. Happily its available for Windows too: http://nmap.org/book/inst-windows.html
As an example, this is running from my Linux workstation to my Windows XP VM:
As you can see It can (attempt) to use the MAC address to identify the make of the network card, or sometimes the device itself, although in this particular instance it hasn't been particularly successful! Its a VirtualBox VM! :D
None the less, check the ports section of the output and that makes it pretty clear that its an M$ box... okay it COULD be a linux box pretending to be a Windows box, but I'm assuming you know what OS's you have on your network.