On XenApp 6 non-admin users cannot shadow user sessions although permissions were given to the user at the farm level. This happens because the user doesn’t have Remote Control rights on the ICA listner on the server.
Start the ICA Listner configuration from Start\Citrix\Administration Tools; note that the application takes a couple of seconds to start.
Once the ICA listener configuration has started, select the desired listener, ICA-TCP by default, and press Security.
From the permissions window for the selected listener press Advanced.
Once the Advanced Security Settings for ICA-TCP is open you will need to, add the security group and give it Remote control rights as follows. Press Add… to open the Select user, Computer, Service Account, or group window.
Type the name of the group, HELPDESK press Check Names to verify and then press OK.
Now from the Permission Entry for ICA-TCP window, verify that you’re setting the permissions to the right group, by checking the name and tick the Allow box for Remote Control and press OK.
Note: DO NOT tick any other boxes.
Once the Advanced Security Settings for ICA-TCP is active, verify that the HELPDESK group is in the list with Allow and Remote Control. Press Apply and OK.
Press OK to close any other window that was still open.
The changes take immediate effect on new connections and there is no requirement to restart services or reboot the server.