OK this helps a little, but not quite what I need.  I actually had no problem deleting the account and recreating with:

useradmin user add administrator -c "no admin privs" -g Guests

But my issue is that the account shows back up automatically in the Administrator group:

Name: administrator

Info: no admin privs

Rid: 500

Groups: Administrators,Guests

I also note that the Rid is still 500. 

So is there no way to have an account named "administrator" that is not this reserved account? 

I strongly believe you cannot have a account name "administrator" with out being it in a "administrators group". Why do you want to have a account name as administrator not being in this group? Why not create a differ group and add users to it with roles you want provide? I just want to understand the scenario, so that i can assist you in a better way.

We are using workgroup authentication for CIFS on a vfiler.  We want to allow passthrough access (no authentication required) for "administrator" from the servers.

We have accomplished this for user Administrator by making the passwords on the server and filer 'administrator' accounts match.  This works fine and Administrator on the servers can browse the CIFS shares without being prompted for credentials.

But, we do not want to have that "administrator" named account to be able to perform filer level administration tasks!  And while it would be nice to say, "just use a different username" which would be a great solution, sometimes we aren't in a position to say that.

I know we also have the option of enabling guest access, but I would prefer to not open it to everyone.

I actually that that was the scenario you were facing. Did you do CIFS setup in the following way?

Description

Procedure

1. On the filer, enter: cifs setup
2. Windows Workgroup authentication using the filer's user accounts, when prompted for What type of authentication will this filer use?, enter: 2.
Note: In step 2 above, if using NIS or the filer's /etc/passwd file for Windows Workgroup authentication, enter 3 (/etc/passwd and/or NIS based authentication) instead of 2.
Also, see 2010648: Cannot authenticate users in a Windows workgroup: enable plain text passwords
3. These prompts will follow:
   1. Enter Workgroup name.
   2. Create the filer's local administrator account.
4. To setup local Windows Workgroup users on the filer, use the useradmin useradd [username] command.
Note: If using NIS or the filer's /etc/passwd file for Windows Workgroup authentication, Windows Workgroup users cannot be created using the useradmin command.
5. Assign appropriate permissions for these local users on the Common Internet File System protocol (CIFS) shares using the cifs access command. See the cifs man page for details.

The following is a sample of cifs setup output for setting up a Windows Workgroup on a newly installed filer:

filer> cifs setup
Enable CIFS access to the filer by a Windows(tm) PC
         Your filer is currently only visible to PCs on the same net.
Do you wish to make the system visible via WINS? [no]:
         CIFS requires local /etc/passwd and /etc/group files formultiprotocol.
         Default passwd file will be created containing root, pcuser,
         and nobody.
Enter the password for root []:
Retype the password:
         This filer is currently licensed for CIFS only.
         The filer will be configured as a NTFS_only filer.  It can
         be changed to a Multiprotocol filer by reissuing the CIFS setupcommand.
         The default name of this filer will be FILER.
Do you want to modify this name? [no]:
         CIFS supports three types of user authentication:
         1. Windows Domain authentication.
         2. Windows Workgroup authentication using the filer's user accounts.
         3. /etc/passwd and/or NIS based authentication.
What type of authentication will this filer use? [1]: 2
         The filer will be part of a Workgroup, and will use local
         user accounts for authentication.
         This filer will be a member of the Windows Workgroup WORKGROUP.
Do you want to modify this name? [no]: WG1
         Please enter either yes or no.
Do you want to modify this name? [no]: yes
Enter the Workgroup for the filer []: WG1
         It is recommended that you create the local administrator
         account (FILER\administrator) for this filer.
Create the FILER\administrator account? [yes]:
Set the password for FILER\administrator:
Retype the password:
Thu Dec 20 11:18:33 PST [rc:info]: User added
Thu Dec 20 11:18:33 PST [rc:notice]: security style for /vol/vol0/ changed from unix to ntfs
CIFS local server is running.
filer> Thu Dec 20 11:18:47 PST [nbns_timer:info]: All CIFS name registrations complete for local server

Since the filer is not registering to a WINS server, clients outside the immediate subnet will be unable to browse for the filer in Network Neighborhood. It is recommended to also setup a local DNS server.  Another way to deal with name resolution is to populate the users with lmhosts or hosts files, although it is possible to use a WINS server even if the user is just in a workgroup.

Yes we did run through CIFS setup in that manner.  If we run through CIFS setup (or re-run it), and say NO to the "configure administrator account" part, would that allow us to add an account named administrator that is not Rid 500?

I just tested this out in lab and it seems to work.  The Rid is the same but it let me just set it as Guests:

>useradmin user list

Name: administrator

Info: not an administrator

Rid: 500

Groups: Guests

This should work OK?

Yes, it should work. Please mark this as answered if you a got this resolved.

Hope I helped.

Best Regards,

Ravi

Also please follow this link for a detailed explanation.

https://library.netapp.com/ecmdocs/ECMM1278285/html/sysadmin/6admacc3.htm

Good to hear that the issue is resolved. Thanks for posting the solution hear!

Best Regards,

Ravi