A network with no device registry is a network where every incident starts with the same wasted thirty minutes: finding out what's at that IP address, who manages it, and what it's supposed to be doing.
The first time this costs you is a production incident at 2am when something in the 192.168.1.0/24 range stops responding and no one can immediately identify whether it's a managed server, a legacy workstation, a printer, or a piece of equipment someone plugged in three years ago and forgot to document. The second time is an audit.
The Record That Every Device Deserves
IP and MAC Address are the minimum. MAC is the field that matters when DHCP has assigned something unexpected and you need to trace a device that's been moved or reconfigured. IP alone is insufficient because DHCP leases expire, reservations get changed, and static assignments get duplicated by someone who didn't check the registry first.
The DHCP boolean plus Lease Time is the combination that explains the dynamic range on your network — which devices float and which are anchored. A device flagged DHCP: false with no static entry in the registry is the first thing to investigate when you have mysterious new traffic.
Subnet Mask, Gateway, MTU, Primary and Secondary DNS — these fields are what you need during disaster recovery when the hardware has been replaced and you're rebuilding the network stack from documentation rather than from a backup config that may or may not reflect the current state.
The Active Directory Section Is Where It Gets Interesting
Domain, AD Domain NetBIOS Name, AD Server Name, WINS Server IP, Name Resolution (DNS or WINS), and the NTLMv2 authentication flag — these fields collectively describe whether a device is domain-joined, how it authenticates, and which legacy authentication protocols it's been configured to use or restrict.
The NTLMv2 flag is the one that matters for security audits. Mixed environments where older workstations or peripheral servers still negotiate NTLM rather than Kerberos are exactly the environments where pass-the-hash attacks succeed. A registry where the NTLMv2 restriction flag is visible per device means a security reviewer can filter immediately for the non-compliant machines rather than querying every device on the network individually.
The Workgroup field catches the non-domain devices — machines that were added during a hasty deployment or a remote office expansion and never got properly joined to the domain. They exist. They're usually running as Local Administrator. They're the entry point in half the successful lateral movement scenarios in small-to-medium business breach reports.
Speed — 100Mbps or 1Gbps — is the bandwidth tier designation. It sounds trivial, but during a capacity review when you're trying to understand why a specific segment is saturating, knowing which devices are still on 100Mbps when the switches are expecting gigabit helps narrow the bottleneck quickly.
The Comments field is the institutional memory field. The device that requires a specific firmware version to stay stable on the domain. The server that has an exception on the firewall policy because of a vendor requirement. The workstation that reboots itself every 72 hours due to an unresolved BIOS bug that the manufacturer won't patch. None of that fits in a structured field. All of it needs to survive the next person who has to manage this network.