Networks

Other than an actual intrusion/hacking situation, this can happen ona DHCP-enabled network if someone comes into your office and connects to your physical network (i.e., plugs into a wall jack, or directly into a switch, hub or router) with a machine that belongs to a different domain or workgroup. Their machine will get a DHCP address in your subnet and will be browsable (depending upon the level of security set up on that machine). Your network's master browsers see the domain/workgroup that machine belongs to and will add it to the browse list, but of course there is nothing there to browse except the individual machine. Once the machine is disconnected, the "phantom" workgroup or domain can stay on the browse list for quite some time, but it will eventually disappear - unless the same machine keeps getting reconnected to your network over and over again.

Whether you see this as an intrusion or just an annoyance of course depends on how sensitive you and your company are to network security. If you can readily identify the person, and they are a trusted person, then you still run the risk that a virus or worm infection from their machine could get into your network. If you don't know who it is, it could be someone trying to hack your network, and that would present a huge security risk. You would need to try to determine who is allowing someone from the outside to connect a non-authorized system to your network and confront that person.

Hope this helps!

Thanks heaps.

As I understand it, the workgroup browsing is handled by NetBIOS and WINS. I think that unless you have a WINS server the local cache of NetBIOS names is only good for a few minutes.

You can use the command line tool "NbtStat" to view or flush your local NetBIOS name cache.

Check your WINS servers for invalid entries.

http://www.comptechdoc.org/os/windows/win2k/win2kwins.html

2 other things can cause this. You bring a new computer onto the domain or take one off, they are usually in a "work" group until they join or rejoin a domain, or you simply have a computer on your network that has not been joined to the domain. This happens a lot in domains.
The second is a laptop. It has been brought in and plugged into the network. It is not a doamin member and may show up as a separate "work" group.
I will often look at one of our staff's private computers and download our virus info to them so we are constantly having odd workgroup or computer names show up. In our case though, we only bring these onto one of our subdomains where we can manage them better so we know what is going on.