Network computer discovery

I am looking for the best way to search the local network for computers and bring them back in a list. Would people recommend using an ldap query for computers or is there another prefered way? I am trying to create a small app where you can click browse and it brings up a window with all the machines listed just to give you an idea of the final goal. The tool will be designed to run on several different domains so I would not know the domain beforehand.

Let’s be clear on what you want, first. You want to list the computers in a domain, or you want to somehow scan the local network to find computers, without a domain?

Sorry I did re-read that and it was a bit unclear. I think most of the time the script will be run inside a domain but I wasnt sure which way people normally do this, whether they discover all local machines or pull the information from AD.

I’d say, “discover all” is probably not practical. You’d literally be writing a network scanner.

In terms of AD, I’d just get the Active Directory module and use Get-ADcomputer. With a large result set you’d need to implement paging, but the cmdlet understands how to do that.

ok but if I wnted to use this on several different domains without set DC information for each domain is this information not too hard to detect? I was going to use SET and pull the logonserver from there but I am guessing there is a better way.

ok I just found the $env:logonserver variable, that should help. Thanks for the help Don.


So, understand that “discovery” is also what an attacker would use to figure out your infrastructure, the better to hack you with :). That’s one reason why “discovery” is difficult - things like AD don’t sit around broadcasting their presence.

The AD cmdlets default to querying your logon domain, so you don’t explicitly need to know that information. Once you’re logged into a domain, you can also query trusting domains. You don’t need to know the name of a DC in order to connect to the domain, provided you’re logged in. Once you’re logged in, you can easily query that information from the domain itself. That’s the whole point of the system, really. The AD cmdlets do require that at least one DC be running the web management gateway service, which is there by default on 2008R2 and later.

The reason there isn’t a practical way to discover all local machines is that computers also don’t send out any announcement of their existence, and when they do, routers usually don’t forward that information across subnets. So non-AD discovery can be a tine-consuming process that involves fairly complex algorithms, including querying routers to see what subnets they know about.

Thanks for the in depth answer. I will have to look into the best way to go ahead with this. My end goal is to have a listbox control on a powershell form with a list of machines and a tickbox for each you can then select the ones you want and perform certain actions. Thanks for the jumpstart I will go and play with powershell studio some more now.