By default, only users with local admin rights on an RDS server can do session shadowing on that server.

To allow a particular user or group to allow shadowing, run this from a command prompt on the RDS server:

wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName="RDP-Tcp") CALL AddAccount "domain\group",2

In the command, replace domain\group with settings of your own. It's recommended to create a group specific for the job (e.g. RDS Shadowing) so you can run this command only once, and then add users to the group to allow them to shadow.