server 2008 - finding oddentries in resource monitors,

The DHCP Entry should have a MAC address associated with it, if you can find where that's plugged in it would be a good start.  Are you switches managed (can you view the MAC table)?

Chris

nope all unmanaged switches unfortunatly

i have a new entry in it for DHCP aswell...

this is really doing my nut in i tell you....

also i am now seing a whole list of entrys in the resource monitor which are using the dns..... the dns isnt accesible externally so what could be causing this?

thanks

Are the hosts all showing local IP Addresses?

Chris

its also appearing as a domain computer in active directory (pcv is)

can i find what its accessed and what its been doing?

nope the dns users are showing as external ip addresses and in some instances are being showed by names like auth200 or indigo

i am concerned by the pcv entry though.....

You might check the Owner (Security), that may given an indication of who added it to the domain. That won't do much good if it was added by a member of Domain Admins though.

Chris

the owner is "domain admins"

:(

is there any way we can see what this machine has done since it has been in the domain?

thanks

You could try looking through the Security logs, how much is in there depends on the level of auditing you enabled.

How many domain admins do you have? I would just ask who added it, but then, I don't like people having domain admin rights ;)

Chris

im the only one thats why i'm a bit shocked!

where should i begin looking?

right i have looked in the security log and have found that the "pcv" logs on every few minutes for a few seconds. i cant ping the DHCP address assigned to it thought.

the user that is associated with the pcv machine is "pcv$" i cat find any record for a username like this?

also i can see its an xp machine service pack 3.

what else can i do to determine where this machine is?

> i cat find any record for a username like this?

That's the machine account sAMAccountName (it means the machine is authenticating), if it's doing that we can make the assumption that it's online.

I guess you can't access the c$ share? It's entirely possible it's running a Firewall preventing you accessing it. It might be worth seeing if WMI is accessible, that would allow us to get things like the PC model, but if there's a firewall...

Lets give it a shot anyway, run this script (it's VbScript, and will need saving as .vbs).  Let me know if it throws an error, but it's likely that the machine isn't accessible if it does.

Chris

' Connect to WMI on the computer PCV
Dim objWMI : Set objWMI = GetObject("winmgmts:\\pcv\root\CIMV2")
 
' Get information about the computer system
Dim colItems : Set colItems = objWMI.ExecQuery("SELECT * FROM Win32_ComputerSystem")
 
For Each objItem In colItems
  WScript.Echo "Name: " & objItem.Name & vbCrLf & _
    "Manufacturer: " & objItem.Manufacturer & vbCrLf & _
    "Model: " & objItem.Model & vbCrlf & _
    "UserName: " & objItem.UserName
Next

Select allOpen in new window

exactly as you predicted the script pulled back an error that it cant connect to the machine....

How many machines do you have? You might be only left with the old fashioned way (wandering around prodding people).

Chris

not that many any more considering the recession! i'd say about 20!

no one has admin control and i've intergotated everybody about what they may have brought into the network?

Disable the computer account and see if anyone becomes upset?

Chris