Ended up opening a case with NetApp support on this. 

If you run CIFS setup > Workgroup Auth and you choose NOT to create the administrator account, you can then add it in like:

useradmin user add administrator -g Guests

And it works fine.

However, if you have already run CIFS setup and chose to create the administrator account, you need to use the domainuser functionality (which apparently also has functionality for Workgroups) to delete it from Administrators.  Good news is this doesn't require CIFS setup to be re-run.  In our case this CIFS instance wasn't in-use at the time, and I'm not sure of the effects on any running production system.

>useradmin user modify administrator -g Guests

>useradmin domainuser list -g Administrators

List of SIDS in Administrators

S-1-5-21-1495248761-1620592545-1363874994-500

>cifs lookup S-1-5-21-1495248761-1620592545-1363874994-500

name = FILER\administrator

> useradmin domainuser delete administrator -g Administrators

SID = S-1-5-21-1495248761-1620592545-1363874994-500

Domain User <administrator> successfully deleted from Administrators.

> useradmin user list

Name: administrator

Info:

Rid: 500

Groups: Guests

This gives us a user named administrator, but with no filer level administrative privs.