A Shadow Account is a secondary account used to connect to the remote computer on behalf of the primary record account to perform the designated tasks. A common scenario is that a user cannot reset a password however the Admin or root account can so that will be used instead.
Normally the record account is used to connect to the remote computer to execute scripts. When a shadow account is specified for the task the script is executed under the shadow account privileges although it still has access to the main record account.
For example, you configure a Windows Host record with the user
firstname.lastname@example.org to use in order establish secure remote sessions; however
email@example.com does not have full permissions on the remote host to execute specific commands. In this situation, when you would use this account to execute your tasks they would ultimately end up failing due to lack of permissions, but this is where Shadow Accounts can help. You can leave the limited user
firstname.lastname@example.org as the primary record account used for session connectivity and add a second Shadow Account
email@example.com which does have permissions to execute scripts on the remote host. This gives you the ability to control the amount of permissions granted during a remote session while not limiting your ability to execute tasks and scripts with the proper permissions.
Shadow Account can be added directly to Record Types (i.e. Windows Host) so that they inherit down to all Records created from them or they can be added directly to Records that have unique Tasks configured.