Unknown Workstations

On a network we manage which has around 60 workstations spread over a rather large building, we have discovered three workstations which appear to be in their own workgroup (called, simply enough, Workgroup.)

Using only the computer's name, and the IP address of the device, we are having a problem finding the computers, and do not have time to walk to each of the 60-some-odd computers in the building to find them. We are also unsure if they are end user laptops who are coming in for a bit of free bandwidth.

There are no wireless AP points, so these workstations are physically connected. We have added no additional PCs to the domain, so we know it's not someone one of our guys has overlooked.

Can someone recommend a course of action, or perhaps some tools to help in this situation? We have run port scans on the boxes to no great avail, and cannot sniff their traffic, because of the switches in place. And since we are unsure where they are, we cannot put them on a hub to make this easier.

As always, I appreciate any and all advice offered.

Can you actually PING them? If not how do you know they are physically connected? How did you discover them? Sorry for all the questions. Just trying to get a clear view of your situation before diving in with a few ideas I've got.

Oh, not at all. I appreciate your interest.

The workstations appear when viewing the entire network in My Network Places. A workgroup called Workgroup appears next to the normal domain and when viewed present three member workstations, with stock netbios names (i.e. DCK7GJ71.) Those names can be pinged currently and they have received addresses from the DHCP server. We are certain they are not appliances or printers.

I have a very easy way that you can trace down these computers without too much trouble. Hopefully your switches are Cisco, but if they aren't, you should be able to do a similar function. Chris made a very good post that explains how to track down PC's by their mac address , so check it out. If you don't have Cisco, let us know so we can point you in the right direction for the commands.

Nice one jwj! I was going to make the same suggestion after getting necronian's response back. Just a little addition ... If the PCs are on a different subnet and you can't use arp to get the MAC addresses, you can obtain them from the DHCP lease database.

Yep, I think this is the way to go. Use DHCP management to get the MAC address of the workstations, then use the switches to find out the port that MAC is conected to. Then visit with a pair of wire cutters! Alternatively, if this is people attaching their own non-domain machines then they must be getting something out of it other than resources provided by your domain. Top of the list is free internet access. So, having got their MAC addresses, you should be able to put a sniffer on the segment that goes to your internet router and get evidence there of their activities. You do need to track these guys down because they could be doing things that expose your company to risk or liability