Topic last updated—March 2008

The Site System to Site Server Connection (SMS_SiteSystemToSiteServerConnection_sitecode) group grants the necessary permissions for Microsoft System Center Configuration Manager 2007 services running on remote site systems (such as management points) to connect to the site server to access the Configuration Manager 2007 registry keys and directories on the site server.

Members of this group have privileged access to site management data. If attackers can take control of any member of this group, it is equivalent to taking control of the site server. Use in-depth defense to protect members of this group. Promptly remove servers from this group when they no longer host server roles that require membership; Configuration Manager 2007 does not remove them.

Required Rights and Permissions

This group requires Read and Write access to the server inboxes.


The group is created on the Configuration Manager 2007 site server.

Type of Group

If the site server is a member server, it is a local group. If the site server is a domain controller, it is a domain local group.


Servers hosting the following site system roles should be members of this group, unless they are in a remote, untrusted forest:

  • Management points

  • System Health Validator points

  • State migration points

  • Fallback status points

  • Software update points

  • PXE service points

  • SMS Provider computers

  • Asset Intelligence synchronization point (Configuration Manager 2007 R2)

  • Out of band management point (Configuration Manager 2007 SP1)

Configuration Manager 2007 automatically tries to add these site system computer accounts to the group. If the site system is in a remote, untrusted forest, the site system computer account cannot send data back to the site server. In this case, instead of adding the site system to this group, you must configure the site system properties with the setting Allow only site server initiated data transfers from this site system and then the site server will pull all data from the site system.

Servers hosting reporting points, server locator points, and distribution points are not members by default, and they should not be added to this group because they do not require the privileged access granted to this group.

See Also