There are a number of steps to configuring generic users to have shadow permissions to other users.

1) Create a Citrix Policy
In the Citrix Presentation Server Console:

- Right click on Policies and select Create Policy from the context menu
- Enter a policy name and click OK
- Right click on the created policy and select Properties... from the context menu
- Select User Workspace | Shadowing | Configuration
- Select the Enabled radio button, set required options, and click OK
- Select User Workspace | Shadowing | Permissions
- Select the Enabled radio button
- Click Configure to add groups that are allowed to shadow users
- Navigate to the group, click Add and ensure access is set to Allow, then click OK
- Click OK to exit the policy properties
- Right click on the created policy and select Apply this policy to... from the context menu
- Select Users
- Check Filter based on users
- Check Apply to all explicit (non-anonymous) users
- Click OK

2) Create a Group Policy
In Active Directory Users and Computers:

- Right click on the Citrix Server OU and select Properties from the context menu
- Select the Group Policy tab
- Click New and enter a policy name
- Click Edit
- Select Computer Configuration | Administrative Templates | System | Group Policy
- Double click on User Group Policy processing loopback mode in the right pane
- Select the Enabled radio button
- Select Merge for Mode and click OK
- Select User Configuration | Administrative Templates | Windows Components | Terminal Services
- Double click on Sets rules for remote control of Terminal Services user sessions in the left pane
- Select the Enabled radio button
- Configure the options to match the Citrix policy above and click OK

3) Wait...
The Citrix policy will only affect new connections to the ICA listener, so existing sessions cannot be controlled. The Group Policy will only apply at next logon.

Typical non-administrator user will not see any users enumerated in the Shadow Taskbar until these settings have applied.

If the policy is applied to a group, and a user is added to this group at a later date, users should be enumerated in the Shadow Taskbar almost immediately.

4) Publish the Shadow Taskbar
Users can use the Shadow Taskbar without requiring Administrator permissions in the Access Management Console.

Error 5 - Access Denied ...when Shadowing
http://support.citrix.com/article/CTX103473

Shadow policies with a priority higher than 2 are ignored
http://support.citrix.com/article/CTX101677