diff --git a/src/cmds/ntux_cmd_chmod.c b/src/cmds/ntux_cmd_chmod.c
index 55b517d..a8d25cb 100644
--- a/src/cmds/ntux_cmd_chmod.c
+++ b/src/cmds/ntux_cmd_chmod.c
@@ -50,14 +50,29 @@ int ntux_cmd_chmod(const struct ntux_driver_ctx * dctx, const char * dunit)
 	uint32_t		access_group;
 	uint32_t		access_other;
 	uint32_t		access_admin;
+	uint32_t		ace_flags;
 	size_t			size;
 	int			fd      = -1;
 	struct __ofd *		ofd     = 0;
 	void *			hasync  = 0;
 	uint32_t		buf[0x300];
 
-	/* initial version: only support m+p */
-	if (!dctx->cctx->strmode || strcmp(dctx->cctx->strmode,"m+p"))
+	/* initial version: --strmode only */
+	if (!dctx->cctx->strmode)
+		return ntux_cmd_chmod_ret(
+			0,0,0,
+			NTUX_CUSTOM_ERROR(
+				dctx,
+				NTUX_ERR_FLEE_ERROR));
+
+	/* ACE propagation: +p, -p */
+	if (!strcmp(dctx->cctx->strmode,"+p"))
+		ace_flags = NT_ACE_CONTAINER_INHERIT | NT_ACE_OBJECT_INHERIT;
+
+	else if (!strcmp(dctx->cctx->strmode,"-p"))
+		ace_flags = 0;
+
+	else
 		return ntux_cmd_chmod_ret(
 			0,0,0,
 			NTUX_CUSTOM_ERROR(
@@ -128,16 +143,15 @@ int ntux_cmd_chmod(const struct ntux_driver_ctx * dctx, const char * dunit)
 	access_owner  = meta.owner_ace  ? meta.owner_ace->mask  : 0;
 	access_group  = meta.group_ace  ? meta.group_ace->mask  : 0;
 	access_other  = meta.other_ace  ? meta.other_ace->mask  : 0;
-
-	/* initial version: only support m+p */
-	access_admin = access_owner | NT_SEC_WRITE_DAC;
+	access_admin  = meta.admin_ace  ? meta.admin_ace->mask  : 0;
 
 	/* updated dacl */
 	__xfi_acl_init_common_descriptor(
 		&dstsd,
 		meta.owner,meta.group,0,0,
 		access_owner,access_group,access_other,
-		access_admin,meta.system_acc);
+		access_admin,meta.system_acc,
+		ace_flags);
 
 	if ((status = __xfi_set_security_object(
 			hasync,