Though it says "Authenticated users", that actually means anything with an account on your domain, so it also includes your workstations. If you set SUS GPOs to apply to Authenticated Users then all of your systems will be using it.
I took Authenticated Users off of the permissions for my SUS policies and created two new groups, PC-SUS and SERVER-SUS. That way I can specify different settings for PCs and servers. In my case, PCs automatically download the approved updates and then install them at 4am (or the first boot after 4am, if the PC is powered down). The servers automatically download approved updates, but doesn't install them.
In my environment, when an administrator is logged into the server, they get a notification that the updates are available to install. Since some of the updates will require a reboot, you probably wouldn't want your servers rebooting on their own. So I usually schedule a server downtime period on the first weekend after MS releases a batch of updates so that I can install them on each server manually, then reboot them and make sure that the appropriate services are all running.