There is an excellent session on 802.1X available from ciscolive.com which covers the details of machine and user authentication and sequence of events (BRKSEC-3005).
802.1X Machine auth will happen first at Layer 2 and using RADIUS to pass machine auth credentials to ISE and then validated to AD server. The Windows client does not require access to any file server or AD until after machine auth. It doesn't even have an IP yet! The network access device will authorize machine via RADIUS. At this point, ISE can return a dACL or other permission which allows DHCP, DNS, and access to the AD domain controller to the endpoint for user login. After user login, then full access can be given to client. If machine auth is not used, then it may be necessary to place port into Low Impact mode where DHCP, DNS, and AD access are granted prior to user auth.