User Setup & Login Process – Free

ObjectiveResourcesKey Facts
List and describe the various editions of Editions
[Must / Medium /]
Explain the concept of record ownership.Every record in Salesforce must have an owner. Records can be owned by either users or queues. By default, the user that creates the record is the owner. Record owner is typically used to determine responsibilities (e.g. I manage the leads that I own), reporting (I am credited for the opportunities that I own), record security (discussed in Security Model – Free), and for a variety of other purposes.
Explain the difference between production and sandbox environments.Introduction to Sandboxes
[Should / Short /]
A sandbox is a copy of a production environment, commonly used for testing and development. Sandbox and production environments use different login URLs:

Explain the importance of Salesforce user records.Overview of User Records
[Must / 4m /]

Exercise: Create a New User
[Should / 5m /]
An active user record is required to login to Salesforce. Records can only be assigned to an active user or a queue.
Explain the difference between deactivating and freezing a user account.Deactivating (Deleting) User Accounts
[Must / Medium /]

Freezing User Accounts
[Should / Short /]
Freezing a user account will temporarily prevent a user from logging in (e.g. during a maintenance window, or if configuration prevents user deactivation), while deactivation of a user completely revokes access.

User records cannot be deleted.
Describe queues.Queues Overview
[Should / Short /]
Queues are used for a variety of purposes. Each queue can include multiple users, and is assigned to one or more objects. Members of the queue can then take ownership of a queue's records.

For instance, leads generated from the company's website are routed to a lead queue "Inside Sales". Members of the inside sales team then take ownership of leads owned by the queue as they have availability to call additional leads.
Explain the difference between user and feature licenses.Understanding User License Types
[Should / Medium /]

Viewing Feature Licenses
[Should / Short /]

Overview of User Records

Every user must be assigned one (and only one) user license. This is their primary license.

Users can also optionally be assigned one or more feature licenses.
Explain how licensing influences what actions a user can perform.

Overview of User Records

The combination of a user's licenses and permissions determines what functionality they can access and what actions they can perform within Salesforce.

For instance, to create a campaign within Salesforce, the user must have the Salesforce user license, the Marketing User feature license, and the permission to create campaign records (via profile or permission set). See Security Model – Free for details.
Explain the implications of user localization settings.User Localization Settings
[Must / 4m /]
Locale: changes display of dates, times, numbers, names, and addresses.

Language: determines which language translatable elements (UI, fields, etc.) are displayed in to the user.

Time zone: determines the offset used to display time references in Salesforce (similar to changing the time zone on your computer).

Currency locale: configured org-wide unless multiple currencies is enabled. Determines the formatting of currency fields, and used to determine currency conversion when multiple currencies is enabled.
Describe the translation capabilities of Salesforce.What languages does Salesforce support?
[Should / Medium /]

Setting Up the Translation Workbench
[Could / Medium /]

User Localization Settings

Salesforce has several tiers of language support; each supports translation to a different degree. Regardless of the language tier, custom elements (such as custom fields, objects, and picklist values) must be translated using the translation workbench.
Describe the capabilities of Salesforce to manage multiple currencies.Enabling Multiple Currencies
[Should / Short /]

Implications of Enabling Multiple Currencies
[Should / Medium /]

User Localization Settings

By default, Salesforce supports one currency within an org.

Multiple currencies can be enabled through configuration in most orgs (orgs using some versions of forecasting will require feature activation), and allows for static conversion rates between currencies.

Once multiple currencies is enabled, advanced currency management allows for dated exchange rates (e.g. use the exchange rate at the opportunity's close date instead of a static rate).
Describe the different methods that can be used to authenticate to Salesforce.User Authentication
[Must / 6m /]
Website: The standard Salesforce user interface.
API: Used for programmatic access, such as the data loader.
Single Sign On (SSO): Not discussed.
OAuth: Not discussed.
Describe the settings an administrator controls to conditionally allow or prevent user authentication.Who Sees What: Organization Access
[Must / 5m /]

What is an IP address?
[Could / Long /]

User Authentication

Login IP Ranges are used to prevent login except from specific IP addresses.
Login Hours are used to prevent login during certain hours of the day.
The permission (profile/permission set) "API Enabled" is required for a user to authenticate via the API.
Describe computer activation, and under what conditions it occurs.

User Authentication

Computer activation is designed to prevent unauthorized access to, particularly in the event of a hijacked username and password. Computer activation is required when all of the following conditions are false:
1. The user is logging in from within a Trusted IP range.
2. A browser cookie indicating a prior login is present.
3. The user has logged in from the current IP address previously.

Note: A previous login from the same IP address may no longer bypass computer activation. Please see Improved Security for Device Activation in the Spring '16 Release Notes.
Describe the capabilities of SMS based identity confirmation and two factor authentication.How do I enable SMS Based Identity Confirmation?
[Should / Medium /]

Setting Two-Factor Authentication
[Could / Long /]

See How Your Users Are Verifying Their Identity
[Could / Short /] now offers the ability to perform identity confirmation via SMS (text message) or via email. SMS provides an additional layer of security in case email credentials are compromised.

Two factor authentication refers to requiring two independent mechanisms to successfully authenticate.

The most common example of this is a username/password combined with a randomly generated number (similar to computer activation - however, the randomly generated number may be generated by another system or device, and is required for every authentication).
Describe how to monitor computer activations.Using Identity Confirmation Activations
[Could / Short /]
To monitor and revoke activations, navigate to Setup --> Security Controls --> Activations.
Describe the security token, and under what conditions it is required.

User Authentication

The security token is a mechanism designed to prevent unauthorized access via the API.
A user must append their security token to their password when authenticating via the API, unless they are connecting within a Trusted IP range.
Describe the steps required to login as another user.Letting Your Salesforce Administrator Access Your Account
[Must / 2m /]

Control Login Access
[Must / Short /]

Users: Scenario 1
[Should / 10m /]
The user must grant the administrator login access, or the administrator must have the setting "Administrators Can Log in as Any User" enabled. Once complete, the administrator can then login as users that have granted permission (or as any user when "Administrators Can Log in as Any User" is enabled), which is incredibly helpful for troubleshooting purposes.
Describe a session, and what settings influence sessions.Setting Session Security
[Should / Medium /]
A session is established when a user successfully logs in, and ends when a user logs out. I recommend exploring the session settings referenced in the article by navigating to Setup --> Security Controls --> Session Settings.
Describe the capabilities of Salesforce Adoption Manager.Salesforce Adoption Manager Feature Demo
[Should / 1m /]

Salesforce Adoption Manager FAQ
[Could / Short /]
Salesforce Adoption Manager (Setup --> Manage Users --> Adoption Manager) is a feature introduced in Spring '15 that sends customized notifications to users based on how they use Salesforce in order to drive more robust user adoption.

All Objectives Met

Users: Quiz
[Must / Short Quiz /]

Users: Feedback
[Should / Survey /]
Finished this section?  Next section: Security Model - Free

117 Responses to “User Setup & Login Process – Free”

  1. ksarathy November 15, 2017 at 6:28 pm #

    Hi John,

    Is a feature that needs to be bought separately from the Salesforce editions? For example, if a customer has the Enterprise edition, they also need to buy the to be able to build mobile and social apps?

    • JohnCoppedge November 20, 2017 at 7:39 pm #

      Things have gotten a bit confusing as has been used more and more interchangeably with – that said…

      From a licensing standpoint, some licenses (more commonly – Salesforce Platform) is a license type that allows for the creation of custom apps. These licenses have a subset of the capabilities of full – i.e. typically a full CRM license (e.g. Enterprise Edition) can do everything that a license can and more. Hope that windy answer helped 🙂

  2. September 30, 2017 at 2:31 pm #


    There is an explanation about licence type (e.g. sales cloud editions, service cloud editions, editions), besides that there is an explanation about user licenses e.g. standard user.

    Could you please clarify the relationship between those two types of licences?

    • JohnCoppedge October 2, 2017 at 1:08 pm #

      The marketing material and actual licensing in the application often don’t align 1 to 1. For example service cloud is a feature license of a salesforce user license, while is a separate user license. The “user licenses” documentation page outlines the licenses from the technical standpoint.

  3. flobart September 24, 2017 at 11:33 am #


    The link to “Setting Two-Factor Authentication” sends error 404 from:

  4. vincewlin August 25, 2017 at 5:53 pm #

    What are the key differences between Login IP ranges and Trusted IP ranges?

    • JohnCoppedge August 28, 2017 at 3:40 pm #

      Login IP ranges prevent login (e.g. cannot login outside x ip address) and remove login restrictions (e.g. activation)

      Trusted IP ranges remove login restrictions (e.g. activation)

  5. Yina Chun June 1, 2017 at 5:05 am #

    Hi John,

    What is the correct answer for the following:

    A user tries to log in from outside set IP range but within the Org-wide Trusted IP range. User will

    a. Be able to login without any security prompts
    b. Not be able to log in
    c. Be able to login after validating computer
    d. Be able to login after answer security question

    • JohnCoppedge June 1, 2017 at 8:25 pm #

      Not clearly worded but it should prevent login if they have login IP ranges turned on (b)

  6. FrodSFDC April 29, 2017 at 3:04 pm #

    The video on the below section is less than 4mins

    Describe the capabilities of SMS based identity confirmation and two factor authentication. >>>>Setting Two-Factor Authentication
    [Should / 7m (Watch Video) /]

  7. batatawada February 9, 2017 at 6:15 pm #

    Hi John,
    Can we use the Translation Workbench for Language-oriented email template for sending to leads?

    • JohnCoppedge February 15, 2017 at 2:20 am #

      No- translation workbench is for translating field labels, picklist values, and those sort of things – unless something has changed (which is always possible) you’d need separate email templates for each language

    • Syphr February 22, 2017 at 2:43 pm #

      What is the correct answer to this question? I got this question when I took certification but not sure if I answered correctly. I think my answer was D.

      he marketing team at universal containers wants to send an email to each lead received from its website. The country of the incoming lead should determine the language of the email that will be sent to the lead.
      How can the system administrator automate this process?
      a. Create an email template for each language and an assignment rule to send appropriate template
      b. Create an email template for each language and an auto response rule to send appropriate template
      c. Create an email template for each language and a workflow alert to send appropriate template
      d. Create a single email template and use the translation workbench to translate and send the appropriate template

      • JohnCoppedge February 22, 2017 at 5:19 pm #

        B – separate template required for each language

        man I recall getting a similar question when I took the admin test 10 years ago 🙂

  8. Henri Black December 1, 2016 at 7:42 pm #

    Hi John,
    I am in my developer org as sysAdmin, and went to create a queue (Setup | Queues) to try queues out. But there is no button to create a queue.
    Any idea why this would be? I checked the System Administrator profile and the three items Salesforce has documented are all checked.


    • Henri Black December 1, 2016 at 7:44 pm #

      Never mind – I see it now.

      • jaydelaune December 16, 2016 at 2:17 am #

        What did you see 😉 We are all learning from each other!

  9. siddharth1101 November 3, 2016 at 8:55 pm #

    Hi John,

    ‘What languages does Salesforce support?’ link in not valid anymore.


  10. nk005347 October 27, 2016 at 9:14 pm #

    Hi John, if ip range restriction is applied on profiles in an org, then trusted ip range is irrelevant, correct?


    • JohnCoppedge October 28, 2016 at 1:20 pm #

      Hi Nikhil,

      That historically was the case, although the documentation isn’t crystal clear (if login ip ranges inherently are counted as trusted… seems yes):

      Salesforce then checks whether the user’s profile has IP address restrictions. If IP address restrictions are defined for the user’s profile, logins from an undesignated IP address are denied, and logins from a specified IP address are allowed. If the Enforce login IP ranges on every request session setting is enabled, the IP address restrictions are enforced for each page request, including requests from client applications.
      If profile-based IP address restrictions are not set, Salesforce checks whether the user is logging in from a device used to access Salesforce before.
      If the user’s login is from a device and browser that Salesforce recognizes, the login is allowed.
      If the user’s login is from an IP address in your organization’s trusted IP address list, the login is allowed.
      If the user’s login is not from a trusted IP address or a device and browser Salesforce recognizes, the login is blocked.

      • nk005347 November 2, 2016 at 9:02 pm #

        What I am struggling to understand still is below scenario.

        1. if i set up login range against a X profile lets say –
        2. I set up trusted ip range of
        3. now user with profile X logs in from ip, will he be allowed to login?

        My understanding is that trusted ip is used to bypass additional authentication(like sms based token number) and hence in above scenario user will not be allowed to login.


        • JohnCoppedge November 17, 2016 at 1:52 am #

          Correct they should not be able to login, as they are outside of the login ip range

  11. sridarbiz October 22, 2016 at 7:33 pm #

    Queues Overview Link is not working..Please correct it.

  12. October 19, 2016 at 5:48 pm #

    Do you offer a study guide for the App Developer certification? I thought the Admin study guide was extremely helpful.
    Thanks Diana

  13. Agyasi Ampah February 27, 2016 at 4:02 pm #

    Hi John,

    i have an exam on Tuesday, so please advise.
    when a user is logged in and time expires what happens, i am getting 2 contrasting views


  14. February 5, 2016 at 10:04 pm #

    Hi John,
    I have question regarding users and role hierarchy for data access as manager.

    –>@any user’s edit page we can assign Manager to the user…as whom User have to report!.
    –>And when other way Role hierarchy also have one more manager whom same user have to report,.
    So this both have same access to subordinates data?

    • JohnCoppedge February 6, 2016 at 12:15 am #

      Manager only influences security if manager groups are used- otherwise it is role hierarchy only

      • February 6, 2016 at 1:01 am #

        Manager group????
        No idea..:(
        I was only asking for single manager selection at subordinate’s user’s detail .

  15. February 3, 2016 at 5:07 pm #

    Hi john,
    I wan to know where can we see API request from any users?

    Thank you

    • JohnCoppedge February 3, 2016 at 10:17 pm #

      You can see login requests through the user audit log (when they have logged in via the API) from the user record- hope that helps!

      • February 3, 2016 at 10:42 pm #

        where can i find audit log?….:(
        Can u pls navigate me…
        Thank you

  16. jrbarretoi January 31, 2016 at 5:12 pm #

    Took the test 2 weeks ago, one question came out like this (please dont take it literally) :

    “Jane´s profile has login hours from 8am to 5pm. She is currently working on an Opportunity and the clock has just turn to 5pm, what will happen?

    a) The session will be terminated, losing the work
    b) The session will continue until Jane logs out, and she will not be able to log back in again until next business day at 8am
    c) A pop up window will let Jane know her session is about to end
    d) The session will be terminated, but Jane will be able to keep working on the same record

    Please comment on this, especially after listening to “Who sees what: Organization Access” between 0:51 and 1:06 (link provided)



    • JohnCoppedge January 31, 2016 at 5:23 pm #

      It should be A- no actions can be taken (including saving a record) and all current sessions will be terminated once login hours are out of range.

      • jrbarretoi January 31, 2016 at 5:29 pm #

        I will never know. But when testing on my DEV, it actually let me keep working and session did not terminate, then I assumed the session could go on and on. (Reason why I chose B)

        When I tested again, I realized that after 6 minutes !!! (6 minutes is a lot) the session terminated. So I would blame the SF times not being too precise.

        Any clues?

        • JohnCoppedge January 31, 2016 at 5:32 pm #

          Any chance you had the default org time zone set differently (e.g. the default is probably PST)? 6 minutes does sound long- I did this test some time ago, but I remember it terminating my session almost down to the second.

      • danneyazbeck September 25, 2016 at 9:46 pm #

        I also had this question and am stumped because I get conflicting answers – but according to Salesforce why wouldn’t it be (d) – I think to not warn people when their session is ending and just boot them out leaving unsaved work lost is a very inefficient use of time – but no where can I find mention that the “Save” function would be nulled out – so even though she may not be able to add more content, she should be able to save the record and then session is terminated. Is my thinking wrong here?
        Set the days and hours when users with this profile can use the system.
        To allow users to log in at any time, click Clear All Times. To prohibit users from using the system on a specific day, set the start and end times to the same value.
        ****If users are logged in when their login hours end, they can continue to view their current page, but they can’t take any further action.*****

        • JohnCoppedge September 26, 2016 at 6:29 pm #

          If users are logged in when their login hours end, they can continue to view their current page, but they can’t take any further action.
          –> this is misleading. If they leave the page open, the browser will continue to display CACHED information. If they REFRESHED the page after login hours expired, they would get logged out.

          Any action (save, refresh, etc.) after login hours are expired would terminate the session and would be ignored (not saved).

          • danneyazbeck September 26, 2016 at 6:48 pm #

            Thanks John for getting back on this … perhaps I should add a post on the Ideas site to have some type of warning that the session is getting close to time out or allow “save” function to work on open records when login hours are enforced.


          • JohnCoppedge September 26, 2016 at 6:52 pm #

            That’s a good idea!

          • danneyazbeck October 19, 2016 at 5:26 pm #

            Had this question on my exam, but the choices included:
            Logged out – lose unsaved work
            Logged out – unsaved work kept until next login

            Now, is the correct answer still, logged out, lose unsaved work, since I can’t find any note that states the work unsaved will be kept? This was one (of many I should add) of those tricky questions on the exam that is gnawing at me as to which was correct.

          • JohnCoppedge October 19, 2016 at 5:45 pm #

            Logged out, lose work is correct!

            I will make a note of this for the next batch of updates.

            The reason for this is that every action in salesforce (record view, save, etc.) is predicated on a valid session. The information isn’t saved anywhere (only shown locally to the user in the browser) until the save button (clicked by the user) invokes the save action at the database level. The save action will be rejected if the session is invalidated (by login hours in this case, or by the user being deactivated, whatever).

  17. January 30, 2016 at 11:37 am #

    Hi John

    If I up login hours on user profile X that are matched with my org. time zone say 8:00-18:00 CET. My colleague who has the user profile X is now login our org. environment from her business trip in NYC, she logs in at 13:00PM NYC time but it is way pass the time indicated on her profile (on CET time zone) – will she be able to login?


    • JohnCoppedge January 31, 2016 at 5:22 pm #

      Login hours are based on the org default time zone; the user’s time zone will have no impact.

      • February 4, 2016 at 3:19 pm #

        Hi John,

        So in this case, I would need to change her login hours on her user record? is that the Locale field?
        Would that allow her to login outside of defined org default hours?

        • JohnCoppedge February 4, 2016 at 11:42 pm #

          Login hours are configured on the profile and are matched against the org default time zone- you would need to adjust the login hours on the profile to match the org hours.

          • February 6, 2016 at 10:29 am #

            I got a bit confused..
            1. We are able to set up Organisation login hours and even create teams that might have different login hours
            ONLY for the purpose of Escalation process?
            2. Profile: we can assign login hours on profile
            Determine the time a user can login in?
            3. User record: locale setting
            Not sure what this affect?!

          • February 6, 2016 at 10:32 am #

            on point 3:

          • JohnCoppedge February 8, 2016 at 2:53 pm #

            1. Login hours PREVENT login at certain times of the day. Login hours are based on the organization time zone- make sure to do the time zone math accordingly. This means if you needed to enforce login hours based on region, you would need a new profile for each region in a different time zone.
            2. Yes
            3. Locale does things like change the date format (e.g. from MM/DD/YYYY to DD/MM/YYYY)- more to it than that but that’s an example.

  18. January 24, 2016 at 3:40 pm #

    Under section: Session Security Levels
    Two-Factor Authentication — High Assurance

    John, could you please explain what two-factor auth. means?


    • JohnCoppedge January 25, 2016 at 7:33 pm #

      Sure- for more detail:

      2 factor is just that- 2 different ways to validate upon authentication.

      The most common form of authentication is 1 factor- password.

      If you were to add a second component (in ADDITION to the password), such as a bio-metric fingerprint scan (or token generation, or any number of other options), you would have two methods of authentication- hence 2 factors.

  19. January 24, 2016 at 3:24 pm #

    Lock sessions to the domain in which they were first used Associates a current UI session for a user, such as a community user, with a specific domain to help prevent unauthorized use of the session ID in another domain. This preference is enabled by default for organizations created with the Spring ’15 release or later.

    I have noticed that this is not enabled at my org. – is it something I should consider? I must say i am not sure i fully understand it could you please explain or direct me to reference on this?

    Many thanks,

    • JohnCoppedge January 25, 2016 at 7:30 pm #

      I believe what this setting is doing is restricting a session to a single domain upon login. For example if you logged in via the community site (e.g. but then tried to access the full salesforce site (e.g. – with my domain enabled), you would then have to re-authenticate to facilitate access (even if you were using the same credentials).

  20. January 23, 2016 at 10:42 am #
    “Let’s say a user just left your company. You want to deactivate the account, but the user is selected in a custom hierarchy field. Because you can’t immediately deactivate the account, you can freeze it in the meantime.”

    I am not sure i understand what “selected in a custom hierarchy field” means, could you please explain it?

    Thank you,

    • JohnCoppedge January 25, 2016 at 7:26 pm #

      A custom hierarchy field is a lookup from the user object to the user object. (e.g. A field to indicate a cross-report to a secondary non-direct manager)

  21. November 2, 2015 at 12:31 pm #

    in user Authentication in objective “User ” word is missing i think.

    • JohnCoppedge November 9, 2015 at 3:15 pm #

      I think it reads OK as written, but others please chime in if you think this is unclear: Describe the different methods that can be used to authenticate to Salesforce.

  22. July 14, 2015 at 3:40 pm #

    Hi John noticed 2 things
    1) SMS Identity Confirmation [Could / Long /] this link is broken now
    2) Minor thing, the link User Authentication [Must / 6m /] refers to IP addresses and appears before the link What is an IP address?
    [Could / Long /]. Might be useful to get the IP information earlier.


  23. Re_pregal July 12, 2015 at 4:40 pm #

    Hi John, I guess as of Summer 15 update users no longer need to grant Admins access, Admins can log in as Any user and is is now a standard feature, correct?

    • JohnCoppedge July 20, 2015 at 5:26 pm #

      It might be auto-enabled in new orgs… I can still configure it in my existing org.

  24. scottp July 8, 2015 at 6:02 pm #

    The link to SMS Identity confirmation is broken.

  25. chris May 20, 2015 at 1:37 am #

    Letting Your Salesforce Administrator Access Your Account – The video has been removed.

  26. Rena Bennett-Dellwo April 23, 2015 at 5:31 pm #

    Please confirm. When the business hours are set at the company profile level, blank = closed/no access and 12:00 AM-12:00 AM=24-hour access. When login hours are set at the user profile level, 12:00AM-12:00AM=closed/no access.
    If this is right, what does “None” mean at the user profile level? Does it mean 24-hour access?

    • JohnCoppedge April 23, 2015 at 5:59 pm #

      Set 24 hours checkbox for biz hours for around the clock; they are declared org wide but multiple hours can be set and referenced in case management. No login hours declared on the profile will allow 24 hour access. When login hours are set, then they are enforced.

  27. Christine Wong March 28, 2015 at 4:30 am #

    Hi John, can I check for this question: If user was logged in at 4.55pm but 5pm is the restricted time frame. What will happen after 5pm? Will he be automatically logged out with his items saved?

    • JohnCoppedge March 30, 2015 at 2:56 pm #

      The next action they take after 5pm will log them out – that means if they don’t click ‘save’ before 5pm, then their work will not be saved. Doesn’t matter what the action is (save, view a new record, report, etc.), they will get logged out.

  28. Ezekiel Apte March 23, 2015 at 8:07 pm #

    When logged in the top navigation bar continues to display ‘Login’ instead of ‘Logout’. However when I’m leaving this message it does correctly state that I’m logged in as ……

  29. Kevin Brown March 11, 2015 at 5:37 pm #

    Needs editing:

    The security token is mechanism

    …should read

    The security token is a mechanism

  30. Katie Routledge December 18, 2014 at 1:45 pm #

    Hi , quick question on queues, when assigning a case to a queue on creation, is it best practice to use assignment rules or a workflow which changes the owner when the record is saved? Or, doesn’t it matter?!

    Many thanks,


    • JohnCoppedge December 18, 2014 at 5:18 pm #

      I would review the service cloud section – if you can use an assignment rule, best practice would be to use an assignment rule over workflow

  31. Mian Fayyaz Ahmed December 9, 2014 at 3:32 pm #

    Thanks John putting everything together. I have passed today and this site really helps a lot. Looking forward to see Advance stuff soon.


    • Paul Temple December 9, 2014 at 3:39 pm #

      Congratulations Mian! I second the motion for more courses if you can find the time, John.

    • JohnCoppedge December 10, 2014 at 4:17 pm #

      Congrats Mian! Will work on additional courses one of these days 🙂

    • Vasu Sanghani December 22, 2014 at 9:39 pm #


      How long did it take you to go through everything, and do you have other experience? Yes, this site is really to the point and excellent.

  32. Mian Fayyaz Ahmed December 8, 2014 at 9:53 pm #

    There is one question about a user’s unsuccessful attempts to login. Administrator checked and found out the user trying with incorrect password. What should Administrator do? There are two options to choose out of four options.

    a. Click reset password on users detail page.
    b. Send email with users password.
    c. Click unlock on user’s record detail page.
    d. login as user and reset password.

    Option “a” is valid one but rest don’t make any sense to me.

    i. I am not able find any unlock option (Salesforce help:Resetting locked-out users’ passwords automatically unlocks their accounts as well.).
    ii. No option to send email user’s password as this done with reset as well.
    iii. Why you need to login as user (if possible) and reset password where reset password option is there.

    I have searched the possible answers and found the options a,c everywhere but I am not convinced. So your help required hope you don’t mind


    • JohnCoppedge December 8, 2014 at 10:08 pm #

      A user’s account can get locked if they attempt to login too many times with an invalid password. Check the security settings in the org- it will indicate the max # of attempts and the lockout policy. You may not see the option to unlock the account if it is not currently locked. I suspect A & C are valid- where is the question coming from?

      • Mian Fayyaz Ahmed December 8, 2014 at 10:39 pm #

        Thanks for your quick reply.

        You are right, when user locked out an “Unlock” button appears on user detail page which unlock the user and user can still use old password where as resetting password reset/change user’s password and it unlock the user as well.

        Thanks again for your help.

  33. Mian Fayyaz Ahmed December 6, 2014 at 6:50 pm #

    What actually happen when user is working on something but login hours end time reached.

    Will user be forcely logged out ?
    Will user be able to continue work until he/she logged out ?

    According to salesforce help user will be able to continue work but its not clear if user can do any CRUD actions/save changes or what ?

    • Mian Fayyaz Ahmed December 7, 2014 at 4:04 pm #

      I have simulated this scenario and found that system will logged you out with the message:

      “Your login attempt has failed. The username or password may be incorrect, or your location or login time may be restricted. Please contact the administrator at your company for help.”

      • JohnCoppedge December 8, 2014 at 4:05 pm #

        Correct- and it should not allow the user to take any actions (CRED) after login hours have expired. It won’t show them logged out on the screen until they refresh the page or try to take some action.

  34. Mian Fayyaz Ahmed December 6, 2014 at 5:57 pm #

    User trying to login but after several attempts he/she failed. You as administrator checked and there is no login attempt by this user at all. What is the reason ?

    * I think he is using wrong user id but there is no option to select as wrong user id.

    • Paul Temple December 6, 2014 at 6:27 pm #

      Wrong user ID is the only possible answer unless they went to the wrong login URL. ( for example)

      This question was also on my exam and wrong user ID was an option. (and the one I selected)

  35. Mian Fayyaz Ahmed December 6, 2014 at 5:35 pm #

    User trying to login from an IP.

    IP is in Company trusted IP range but not in Login IP range.

    Will user be able to login or access will be denied ?

    • Paul Temple December 6, 2014 at 5:39 pm #

      Login access will be denied if they are outside the login IP range set on the profile. Think of the scenario where someone in a department that should not have access is attempting to login. They are still a part of the company, and inside the trusted range, but they are not part of the department that has been allowed access.

      *****This exact question was on my exam***** and I drew a little picture on the paper to help myself create the scenario.

      [—Trusted Range———(Login IP Range)—-{user_in_question}——]

      Hope this helps.

  36. Georgio Mascagni December 5, 2014 at 3:55 am #

    Looks like they have removed the video entitled Securing your sales force organization as of 12/4/2014. Is there something else we should look at as a substitute?

    • JohnCoppedge December 8, 2014 at 3:59 pm #

      Thanks for the update – this information should be well covered in the security section, I wouldn’t worry too much about additional material.

  37. Paul Temple October 16, 2014 at 4:10 pm #

    “How to implement two factor authentication” is now 404

  38. Esther Phadnis October 12, 2014 at 11:20 pm #

    Hello John,

    Sales Cloud editions — Group Edition includes ‘Contact Management’, I do not see a separate edition for Contact Manager, please refer to the link below:

  39. Carl Herman August 28, 2014 at 11:52 pm #

    This is their primarily license.

  40. Kaira Bergstra March 2, 2014 at 4:35 am #

    seen from the exam asking, Which Feature Restricts a user’s ability to log into Salesforce? Choose 2.
    A. Trusted IP Ranges
    B. Login Hours
    C. Login IP Ranges
    D. Password Policies.

    D is obviously out.
    Amongst options A, B and C, many people advocate that A and B are the right answers. However, according to your definition for each of these methods suggest that Login Hours and Login IP Ranges limit users to access, whereas Trust IP Ranges remove the restriction. Hence I would choose B and C as right answers against the majority of the people.

    Can you please assist?


  41. Parvinderjit Singh December 30, 2013 at 4:06 pm #

    Letting Your Salesforce Administrator Access Your Account: The steps have changed a bit .. so the video might need an updation

    • JohnCoppedge December 31, 2013 at 3:17 pm #

      I’ve added a disclaimer to the start of the guide – the Improved Setup User Interface needs to be disabled. The instructions will then work. If the enhanced setup menu is enabled, the steps will vary some.

  42. Julie Curry June 28, 2013 at 7:14 pm #


    In the text to the right of “Understanding User License Types”.

    “Every user must be assigned one (and only one) feature license. This is their primarily license.

    Users can also optionally be assigned one or more feature licenses.”

    Should it read, “Every user must be assigned one (and only one) USER license. This is their primarily license.

    Users can also optionally be assigned one or more feature licenses.”

  43. Clare Weston April 18, 2013 at 2:48 pm #

    The video, Securing Your Salesforce Organization, isn’t loading so I’ve raised a case with Salesforce support.

Leave a Reply