Ended up opening a case with NetApp support on this.
If you run CIFS setup > Workgroup Auth and you choose NOT to create the administrator account, you can then add it in like:
useradmin user add administrator -g Guests
And it works fine.
However, if you have already run CIFS setup and chose to create the administrator account, you need to use the domainuser functionality (which apparently also has functionality for Workgroups) to delete it from Administrators. Good news is this doesn't require CIFS setup to be re-run. In our case this CIFS instance wasn't in-use at the time, and I'm not sure of the effects on any running production system.
>useradmin user modify administrator -g Guests
>useradmin domainuser list -g Administrators
List of SIDS in Administrators
S-1-5-21-1495248761-1620592545-1363874994-500
>cifs lookup S-1-5-21-1495248761-1620592545-1363874994-500
name = FILER\administrator
> useradmin domainuser delete administrator -g Administrators
SID = S-1-5-21-1495248761-1620592545-1363874994-500
Domain User <administrator> successfully deleted from Administrators.
> useradmin user list
Name: administrator
Info:
Rid: 500
Groups: Guests
This gives us a user named administrator, but with no filer level administrative privs.