diff --git a/builder/dockerfile/copy_windows.go b/builder/dockerfile/copy_windows.go
index 77cd866437..83640ebf42 100644
--- a/builder/dockerfile/copy_windows.go
+++ b/builder/dockerfile/copy_windows.go
@@ -43,8 +43,7 @@ func fixPermissionsReexec() {
 }
 
 func fixPermissionsWindows(source, destination, SID string) error {
-
-	privileges := []string{winio.SeRestorePrivilege, system.SeTakeOwnershipPrivilege}
+	privileges := []string{winio.SeRestorePrivilege, idtools.SeTakeOwnershipPrivilege}
 
 	err := winio.EnableProcessPrivileges(privileges)
 	if err != nil {
diff --git a/builder/dockerfile/internals_windows.go b/builder/dockerfile/internals_windows.go
index f4e18c9a4e..0d26e69ef3 100644
--- a/builder/dockerfile/internals_windows.go
+++ b/builder/dockerfile/internals_windows.go
@@ -11,7 +11,6 @@ import (
 	"github.com/docker/docker/api/types/mount"
 	"github.com/docker/docker/pkg/idtools"
 	"github.com/docker/docker/pkg/jsonmessage"
-	"github.com/docker/docker/pkg/system"
 	"golang.org/x/sys/windows"
 )
 
@@ -44,10 +43,10 @@ func getAccountIdentity(builder *Builder, accountName string, ctrRootPath string
 
 	// Check if the account name is one unique to containers.
 	if strings.EqualFold(accountName, "ContainerAdministrator") {
-		return idtools.Identity{SID: system.ContainerAdministratorSidString}, nil
+		return idtools.Identity{SID: idtools.ContainerAdministratorSidString}, nil
 
 	} else if strings.EqualFold(accountName, "ContainerUser") {
-		return idtools.Identity{SID: system.ContainerUserSidString}, nil
+		return idtools.Identity{SID: idtools.ContainerUserSidString}, nil
 	}
 
 	// All other lookups failed, so therefore determine if the account in
diff --git a/pkg/idtools/idtools_windows.go b/pkg/idtools/idtools_windows.go
index 35ede0fffa..0f5aadd496 100644
--- a/pkg/idtools/idtools_windows.go
+++ b/pkg/idtools/idtools_windows.go
@@ -6,6 +6,15 @@ import (
 	"github.com/docker/docker/pkg/system"
 )
 
+const (
+	SeTakeOwnershipPrivilege = "SeTakeOwnershipPrivilege"
+)
+
+const (
+	ContainerAdministratorSidString = "S-1-5-93-2-1"
+	ContainerUserSidString          = "S-1-5-93-2-2"
+)
+
 // This is currently a wrapper around MkdirAll, however, since currently
 // permissions aren't set through this path, the identity isn't utilized.
 // Ownership is handled elsewhere, but in the future could be support here
diff --git a/pkg/system/syscall_windows.go b/pkg/system/syscall_windows.go
index 0708e32595..afebed74d7 100644
--- a/pkg/system/syscall_windows.go
+++ b/pkg/system/syscall_windows.go
@@ -8,12 +8,15 @@ import (
 )
 
 const (
+	// Deprecated: use github.com/docker/pkg/idtools.SeTakeOwnershipPrivilege
 	SeTakeOwnershipPrivilege = "SeTakeOwnershipPrivilege"
 )
 
 const (
+	// Deprecated: use github.com/docker/pkg/idtools.ContainerAdministratorSidString
 	ContainerAdministratorSidString = "S-1-5-93-2-1"
-	ContainerUserSidString          = "S-1-5-93-2-2"
+	// Deprecated: use github.com/docker/pkg/idtools.ContainerUserSidString
+	ContainerUserSidString = "S-1-5-93-2-2"
 )
 
 var (