One of our admins asked me if there is a way that we can get all of the hostnames on one of those subnets that we don't have much visibility to. NMAP would have worked well, but I wanted to come up with a command that I could have had a non-technical person run and send me the output. So, using a little Command Line Kung-Fu, I came up with:
for /L %A in (0 1 255) do nbtstat -A "XXX.XX.XXX.%A">>hosts.txtSubstitute your subnet for the Xs in that command.
It worked like a champ. I suspect that there is an easier way to do this, but this worked easy enough.