Ghod I HATED this argument at the IT department.
"We should obfuscate the machine's use so hackers won't see easy targets."
You have to be kidding me. Most of the attacks won't bother trying to decypher some elaborate naming scheme, or get HR records to find out who's the CFO -- they'll just carpet bomb the entire network, and exploit any vulnerabilities they find. Frankly, if you have a hacker who already has access to the HR records BEFORE they break in, you've got a bigger problem, like maybe an inside job.
Workstation -> username. So when someone's downloading streaming porn and it's clobbering your bandwidth, you know who it is immediately. When the workstation changes hands to a new user, you should re-image the machine anyways.
We had the "serial number, referenced to a database" method at three locations, and each time I'd find out that someone was rushed and didn't update the database (or updated the wrong database), and I'd have to spend an afternoon validating all the entries again. This only served to slow me down, and didn't slow down our break-ins at all (which were, by the way, autonomous viruses and worms, not humans who could comprehend hostnames no matter what info we put there).
However, I did find some value in not naming machines by their purpose -- we did have a virus breakout that looked for machines named 'mail','smtp' or 'mx' for possible spam relays.
("why so many virus problems in places where you work?" I hear you ask. "are you some kind of shit IT guy?" No, I'm an IT guy that deals with C*Os who feel they don't have to follow the rules, and I get punished when I impose the rules upon them, even if it's for ISO 9001 compliance. Makes me sick; welcome to Toronto.)