Active Directory System Container Operation Blocked: Fix 0x000021A7
You tried to modify or delete an object under the System container in Active Directory. Can't do that—it's locked down by design. Here's how to work around it.
What's actually happening here?
You're getting error 0x000021A7 because you tried to create, modify, move, or delete an object inside Active Directory's System container. The System container holds critical objects that Windows manages: things like default security principals, DNS zones, and group policy objects. The error is Windows saying, "No — you don't get to mess with that."
I've seen this most often when someone tries to move a computer account or a user object into the System container by accident, or when a junior admin runs a script that targets the wrong container. Had a client last month whose entire print queue died because a script tried to delete the "Print Queue" object under System. Total chaos until we figured out what happened.
Here's how to fix it, depending on what you were actually trying to do.
Cause #1: You're trying to create or modify an object in the System container via script or ADSI Edit
This is the most common trigger. You open ADSI Edit, navigate to CN=System,DC=yourdomain,DC=com, and try to create a new object or change an attribute. Or a PowerShell script hits that path. And you get the error.
The fix: Stop doing that. The System container is protected. If you need to store custom objects, create a new OU at the root of your domain and put them there. That's the only place you can reliably create objects without hitting this error.
If you absolutely must modify an existing object in the System container (like a DNS zone or a group policy), use the appropriate management tool instead of ADSI Edit. For DNS, use the DNS Manager snap-in. For group policies, use Group Policy Management Console. Those tools are designed to handle the underlying objects safely.
If you're writing a script, change the target path in your code. Here's a quick example that often trips people up — don't do this:
# WRONG — will throw 0x000021A7:
New-ADObject -Name "MyAppConfig" -Type "container" -Path "CN=System,DC=ad,DC=contoso,DC=com"Instead, use an OU:
# RIGHT:
New-ADOrganizationalUnit -Name "CustomConfig" -Path "DC=ad,DC=contoso,DC=com"
New-ADObject -Name "MyAppConfig" -Type "container" -Path "OU=CustomConfig,DC=ad,DC=contoso,DC=com"Cause #2: You're trying to delete or move an object out of the System container
Another classic: you've got a stale or orphaned object in the System container — like a leftover DNS zone from a failed domain controller demotion — and you try to delete it manually. Windows blocks it. Same if you try to move a default object (like a group policy) to a different OU.
The fix: First, figure out why the object is there. If it's a DNS zone, use DNS Manager to remove it. If it's a group policy, use GPMC. Those tools know how to clean up properly.
For truly orphaned objects (say, a leftover NTDS Settings object from a DC that died hard), you'll need to use ADSI Edit with elevated privileges and set the sDSPromotion attribute. Here's the step-by-step:
- Open ADSI Edit as Domain Admin (right-click, run as administrator).
- Connect to the Default Naming Context.
- Expand
CN=System,DC=yourdomain,DC=comand find the orphaned object. - Right-click the object, select Properties.
- Locate the
sDSPromotionattribute — if it exists, note its value. If not, you're probably not allowed to delete it. - If you must force-delete (and I mean must), set that attribute to empty or delete it via ADSI Edit. But honestly, call Microsoft Support first — I've seen people wreck their whole domain doing this.
One time at a client, we had a stray "Print Queue" object leftover from a failed upgrade. Deleting it via ADSI Edit gave this exact error. Turned out we needed to run repadmin /remove on the originating DC to clear it from the replication metadata first. Lesson: check replication state before deleting anything in System.
Cause #3: You're trying to promote a domain controller and the System container is corrupted
Less common, but nasty. You run dcpromo (or the newer Install-ADDSDomainController cmdlet) and it fails with 0x000021A7. Usually happens when the source domain's System container has missing or corrupted objects — like a missing CN=MicrosoftDNS container.
The fix: First, run a health check on the source domain controller:
dcdiag /v /c /q > c:\dcdiag.logLook for errors related to the System container. Common culprits: missing DNS zones, corrupted group policies, or stale trust objects.
If you find a missing container (like CN=MicrosoftDNS), you can re-create it using ADSI Edit. For example, to re-create the DNS container:
- Open ADSI Edit, connect to the Domain Naming Context.
- Navigate to
CN=System,DC=yourdomain,DC=com. - Right-click, New, Object.
- Select
container, name itMicrosoftDNS. - Then restart the DNS service on the source DC.
If the problem is a corrupted object you can't delete, your best bet is a metadata cleanup using ntdsutil. Run this on a working DC:
ntdsutil
metadata cleanup
connections
connect to server
quit
select operation target
list domains
select domain 0
list sites
select site 0
list servers in site
select server 0
quit
remove selected server That wipes the dead server's metadata. Then retry the promotion.
| Cause | Quick Fix |
|---|---|
| Creating objects in System container | Use an OU instead; never create custom objects directly under System. |
| Deleting/moving objects from System container | Use native tools (DNS MMC, GPMC) or clear replication metadata with repadmin. |
| Corrupted System container blocking DC promotion | Run dcdiag, re-create missing containers via ADSI Edit, or use ntdsutil metadata cleanup. |
Was this solution helpful?