Information on discovering computers in the Enterprise Console

  • Article ID: 113994
  • Rating:
  • 2 customers rated this article 2.5 out of 6
  • Updated: 27 Mar 2013

This article provides an overview of the processes used by the different 'Discover Computers' methods available in the Sophos Enterprise Console.

Applies to the following Sophos product(s) and version(s)
Enterprise Console

Sophos Enterprise Console - Discover Computers

The following options are available for selection when choosing the 'Discover computers' option within Sophos Enterprise Console:

The following explains the processes used by each of these options.

Import from Active Directory (recommended)

Basic information

This option utilizes LDAP to search Active Directory for the computers/containers specified within the wizard. LDAP operations run which search, list and retrieve the domains, containers and computers found. The logged on credentials are used to bind to AD and perform these operations.

Further detailed information

  1. An LDAP_SCOPE_BASE (Search the base entry only) operation is performed (this is part of the ldap_search_init_page Function)
  2. This gets the domain name values
  3. A further LDAP_SCOPE_BASE operation is performed but this time against the domain
  4. The LDAP port (389) is initialized and a set of LDAP_OPT functions (set options) are applied
  5. An AD bind is then performed with the logged on credentials
  6. A further LDAP_SCOPE_BASE operation is performed using these credentials
  7. An LDAP_SCOPE_ONELEVEL (Search all entries in the first level below the base entry, excluding the base entry) operation is then performed
  8. This gets the container values until there are no more entries. It then abandons the search

The above is all actioned by the EnterpriseConsole.exe process

Discover with Active Directory

Basic information

This options utilises LDAP to search Active Directory for computers. LDAP operations run which search and return any computers found. This is done using the machine$ account.

Further detailed information

The wizard gives the option of supplying credentials or skipping. However, either option will still use the machine$ account to perform the operation.

  1. A bind to the global catalogue is performed using the ADSOpenObject Function:
  2. An LDAP search is then performed which returns the domains list. (This appears as part of the wizard where a domain can be selected)
  3. A connection is then made to the domain on port 389
  4. An LDAP query is then performed against the domain using the ExecuteSearch function: 
    This performs the following:
    LDAP_SCOPE_BASE (Search the base entry only)
    LDAP_SCOPE_SUBTREE (Search the base entry and all entries in the tree below the base)
    This returns all machines with their attributes
  5. If this fails a GC query will be performed in the same way.
  6. Once no more results are returned it abandons the search and SEC will show the found machines

The above is all actioned by the MgntSvc.exe process

Discover on the network

Basic information

A Microsoft API is used to interrogate the available domains using the credentials specified

Further detailed information
  1. If credentials are supplied the 'Discover' will be performed using these credentials. If no credentials are specified a NULL set of credentials are used
  2. A WNet function is then used to determine a list of available domains seen on the network:
  3. After choosing the Domain a further WNet function is used to determine machines within that domain. At this point no credentials are used to retrieve this information

Discover by IP range

For further information on discovering computers by IP range see article 16436

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent